On Wed, Apr 14, 2021 at 03:00:48AM +0000, Al Viro wrote:
> Ugh... So when dput() drives the refcount down to 0 you hit lock_parent()
> and only then bother to check if the sucker had been negative in the first
^^^^^^^^^^^^^^^^^
had zero refcount, of course.
> place?
> > @@ -1970,6 +2021,8 @@ void d_instantiate(struct dentry *entry, struct inode
> > * inode)
> > {
> > BUG_ON(!hlist_unhashed(&entry->d_u.d_alias));
> > if (inode) {
> > + if (d_is_tail_negative(entry))
> > + recycle_negative(entry);
> > security_d_instantiate(entry, inode);
> > spin_lock(&inode->i_lock);
> > __d_instantiate(entry, inode);
>
> Wait a bloody minute. What about d_instantiate_new() right next to it?
Another fun question: where's the proof that __d_add(dentry, non_NULL_inode)
won't happen to dentry marked tail-negative? From a quick grep I see at
least one such place - on success cifs_do_create() does
d_drop(direntry);
d_add(direntry, newinode);
and it would bloody well evade what you are doing in d_instantiate().
Same seems to be true for nfs_link()...
