git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Alex Markuze <amarkuze@redhat.com>
	Tue, 12 Aug 2025 09:57:39 +0000 (09:57 +0000)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 19 Sep 2025 14:37:33 +0000 (16:37 +0200)
commit	1315d252a0e2ad83134cc434d2ac19db28153e56
tree	f96a1963105ded074d606257757b18a3c33af122	tree \| snapshot
parent	2bfe45987eb346e299d9f763f9cd05f77011519f	commit \| diff

ceph: fix race condition where r_parent becomes stale before sending message

commit bec324f33d1ed346394b2eee25bf6dbf3511f727 upstream.

When the parent directory's i_rwsem is not locked, req->r_parent may become
stale due to concurrent operations (e.g. rename) between dentry lookup and
message creation. Validate that r_parent matches the encoded parent inode
and update to the correct inode if a mismatch is detected.

[ idryomov: folded a follow-up fix from Alex to drop extra reference
  from ceph_get_reply_dir() in ceph_fill_trace():

  ceph_get_reply_dir() may return a different, referenced inode when
  r_parent is stale and the parent directory lock is not held.
  ceph_fill_trace() used that inode but failed to drop the reference
  when it differed from req->r_parent, leaking an inode reference.

  Keep the directory inode in a local variable and iput() it at
  function end if it does not match req->r_parent. ]

Cc: stable@vger.kernel.org
Signed-off-by: Alex Markuze <amarkuze@redhat.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>