From eeec741ee0df36e79a847bb5423f9eef4ed96071 Mon Sep 17 00:00:00 2001 From: Neil Brown Date: Thu, 27 Nov 2025 11:48:56 +0100 Subject: [PATCH] nfsd: fix end_creating() conversion Avoid a double-unlock as nfs_create_locked() will have unlocked the parent and do the dput() manually. Christian Brauner says: I've taken Neil's proposed fix from [1] and added a commit message. Fixes: https://lore.kernel.org/202511252132.2c621407-lkp@intel.com [1] Fixes: bd6ede8a06e8 ("VFS/nfsd/cachefiles/ovl: introduce start_removing() and end_removing()") Signed-off-by: Neil Brown Signed-off-by: Christian Brauner --- fs/nfsd/nfsproc.c | 3 +++ fs/nfsd/vfs.c | 6 ++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c index 28f03a6a3cc38..481e789a76974 100644 --- a/fs/nfsd/nfsproc.c +++ b/fs/nfsd/nfsproc.c @@ -407,6 +407,9 @@ nfsd_proc_create(struct svc_rqst *rqstp) /* File doesn't exist. Create it and set attrs */ resp->status = nfsd_create_locked(rqstp, dirfhp, &attrs, type, rdev, newfhp); + /* nfsd_create_locked() unlocked the parent */ + dput(dchild); + goto out_write; } else if (type == S_IFREG) { dprintk("nfsd: existing %s, valid=%x, size=%ld\n", argp->name, attr->ia_valid, (long) attr->ia_size); diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index 6e9a57863904c..6a6019368940b 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -1633,16 +1633,14 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp, return nfserrno(host_err); err = fh_compose(resfhp, fhp->fh_export, dchild, fhp); - /* - * We unconditionally drop our ref to dchild as fh_compose will have - * already grabbed its own ref for it. - */ if (err) goto out_unlock; err = fh_fill_pre_attrs(fhp); if (err != nfs_ok) goto out_unlock; err = nfsd_create_locked(rqstp, fhp, attrs, type, rdev, resfhp); + /* nfsd_create_locked() unlocked the parent */ + dput(dchild); return err; out_unlock: -- 2.47.3