From nobody Thu Apr 2 15:36:15 2026 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8EE563A9D9D for ; Fri, 27 Mar 2026 16:23:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774628610; cv=none; b=GVuucmt8Y/yhZRD3DBx8HKvUPOBS02b05XbJpMZo5BD5P/o7Cg3e3QiMLwvpsH2LG2FAPdFVpBvrzAcVfAsn2mF7p/Gp0u8rg/7FwnsRndtX06z1z8RpSg0QcsmpiQ5u/vln82oRd+2WoTOGeIUK9/FRPav3hmDGFWAp2y2m6hY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774628610; c=relaxed/simple; bh=kM6h7buYmvPWe3WeN4m+xIms9TRX4kj6vu1ECi4LQ8Q=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IPHYU7H9DnGhbMOnGyPoYiTrBsc9ljFxPnII0ezWEQTOKFrO+R5uGBjqChdJ4cgBMtYMrAoOIZXERX2iVvqvRhTQYzi4w/zqcCGv+YNuyk/A6L5S4JjueYx330EvcAcHnEMKjDBGfXSe/Q6lDvHptn94aP7w5hlQk3NB0GFw+AE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=ionos.com; spf=pass smtp.mailfrom=ionos.com; dkim=pass (2048-bit key) header.d=ionos.com header.i=@ionos.com header.b=dFlUZDKm; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=ionos.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ionos.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ionos.com header.i=@ionos.com header.b="dFlUZDKm" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-486507134e4so26714685e9.0 for ; Fri, 27 Mar 2026 09:23:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ionos.com; s=google; t=1774628606; x=1775233406; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Li+MhdhKR/VteHKksntf5bm/t2yJMb4kcBZQfykWGTU=; b=dFlUZDKmBRY1fmnnK16YeViu7Zb+gj1Z2dR46ickp8ZY5iSqmX3bwV8lQYjpS9VOgR sfUPMUTTholfEsJ7EBlVJxmlNFt3uATsJ5eBKD3/zXbnOpieY7oHjLooLdeaOK7Yc6P7 XvyR9Feg79e3c8dKcv9oVTwms8bUmOnMtThKvqHK0K9pf7Y+jU6nqCbt0Ut4Sy0yyOX8 bXDl6cvtKtJWxgrgTuqF2UbSYvem+jVADrqOLVQLipJX49kdXART1WIfJMiUeSnpvz9T UZ4p7Xu1AUimd+GlMElEBn0NWHMv8UkSimpyCL+7gU9+C/gqRUKxYUEbd7Dh4Vt4AftS VOcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774628606; x=1775233406; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Li+MhdhKR/VteHKksntf5bm/t2yJMb4kcBZQfykWGTU=; b=GRJ164Hywsx3KGL8nT2j9mZ2IXNHNMqjk1BoWDgtjqUCVfe0BIyv3z7rkmf13c93ZM ccIXFUjQ3brOvGgPohFfwyPKnn70l/dlXBKQjP9yaM6oO7cixwzgS4No/WM1ouWsisbt m3WENd8G8BIyIF+8CfFh0wcEnrW4vZYXfwTSTebSCdJ6xpGFREqBWOQQi+MovJcOpbxM iE0ML9O0RjRjT1HLZcQ9fLg4rgbkKF74dB8fWVSCDyYXQctcjjLiXmRUytH/EGbBedlH Za4jJW1BFcYQgMfJpyKvcck5gD+OMcUSX91WYWbeYE+1mDl/OMIqN67iNSLXEM0/6cSH m2eQ== X-Forwarded-Encrypted: i=1; AJvYcCXjNCDAo7Qv1/wtJ2pd3hgqdQFewh1mt0a0HgYDYa14nyA8ijir/cpLMaFTkmDqDJPQu0Ldl9z4V365vEc=@vger.kernel.org X-Gm-Message-State: AOJu0Yww0L/6tbdUyRVoalszi9qRkJMiTz2yVXd7tCpPLkW3pwIz6i2R 9DSEOMjFHV8zDDBtGu5LwdsvM6WYdHJrn/HNgmUYKuwYZZysWPsyD/Bf4uNwcqCGuSI= X-Gm-Gg: ATEYQzztjEY1iCm4wwUVx/AxQEWqowEzcopdiDeQwiZOYMBJZqtMWKz7M1g2MYqU91J D1kApuOFHkYEUvXfyUfDxaKjwdOAAWit2lUSG56gsj87kfG0XZnQUMPVSsCHVBZRPQbB1f15IgV orluCP73yeaNBxP6bbF8QddEXEE/OGV2F7MuclG7vVdMgeSKW8htW/IeVTQ9J+jmsXgooZpeFTz 4mzsieuOziyjiwIsckRFYBrsjPW/cz4gpRBsILti7VFCbW1QvhI5SjFiL7tk1Dk2Gfvvn+x6VIE N7nKGRehlZeTMKk/fZRWZbgAVXJQxXHxdw0OL2Xmfy6hIxJCVz+SjPa7maNfRI4mgaStgxG83E9 9RRiutBoxumPew+eAHlR7uYGuN/7DUkh1WaM1DRUv9BpYswygvlCITw4SgpPghdLp+UTx3uWp7v aABm+urCCPDnSnJhbXbklRCWiUqiRYo/h6ZlwmCW73qnXS7CflW2Hvk2I0bKvq3E/Ffo9HIJDJX sf/kgNuR2JKegDU3uGXR1Y9tmY= X-Received: by 2002:a05:600c:a108:b0:485:4388:348b with SMTP id 5b1f17b1804b1-48727c81d77mr45901305e9.0.1774628605920; Fri, 27 Mar 2026 09:23:25 -0700 (PDT) Received: from raven.intern.cm-ag (p200300dc6f2b4400023064fffe740809.dip0.t-ipconnect.de. [2003:dc:6f2b:4400:230:64ff:fe74:809]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48722c7cec3sm97085725e9.6.2026.03.27.09.23.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Mar 2026 09:23:25 -0700 (PDT) From: Max Kellermann To: idryomov@gmail.com, amarkuze@redhat.com, ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Max Kellermann , stable@vger.kernel.org Subject: [PATCH] ceph: only d_add() negative dentries when they are unhashed Date: Fri, 27 Mar 2026 17:23:08 +0100 Message-ID: <20260327162308.1118621-1-max.kellermann@ionos.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Ceph can call d_add(dentry, NULL) on a negative dentry that is already present in the primary dcache hash. In the current VFS that is not safe. d_add() goes through __d_add() to __d_rehash(), which unconditionally reinserts dentry->d_hash into the hlist_bl bucket. If the dentry is already hashed, reinserting the same node can corrupt the bucket, including creating a self-loop. Once that happens, __d_lookup() can spin forever in the hlist_bl walk, typically looping only on the d_name.hash mismatch check and eventually triggering RCU stall reports like this one: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 87-....: (2100 ticks this GP) idle=3D3a4c/1/0x400000000000000= 0 softirq=3D25003319/25003319 fqs=3D829 rcu: (t=3D2101 jiffies g=3D79058445 q=3D698988 ncpus=3D192) CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-= i1-amd #950 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023 RIP: 0010:__d_lookup+0x46/0xb0 Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe= 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 = 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f RSP: 0018:ff745a70c8253898 EFLAGS: 00000282 RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966 RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0 RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89 R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0 R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:00000000000000= 00 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0 PKRU: 55555554 Call Trace: lookup_fast+0x9f/0x100 walk_component+0x1f/0x150 link_path_walk+0x20e/0x3d0 path_lookupat+0x68/0x180 filename_lookup+0xdc/0x1e0 vfs_statx+0x6c/0x140 vfs_fstatat+0x67/0xa0 __do_sys_newfstatat+0x24/0x60 do_syscall_64+0x6a/0x230 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is reachable with reused cached negative dentries. A Ceph lookup or atomic_open can be handed a negative dentry that is already hashed, and fs/ceph/dir.c then hits one of two paths that incorrectly assume "negative" also means "unhashed": - ceph_finish_lookup(): MDS reply is -ENOENT with no trace -> d_add(dentry, NULL) - ceph_lookup(): local ENOENT fast path for a complete directory with shared caps -> d_add(dentry, NULL) Both paths can therefore re-add an already-hashed negative dentry. Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn) is true. Fix both fs/ceph/dir.c sites the same way: only call d_add() for a negative dentry when it is actually unhashed. If the negative dentry is already hashed, leave it in place and reuse it as-is. This preserves the existing behavior for unhashed dentries while avoiding d_hash list corruption for reused hashed negatives. Fixes: 2817b000b02c ("ceph: directory operations") Cc: stable@vger.kernel.org Signed-off-by: Max Kellermann Reviewed-by: Viacheslav Dubeyko --- fs/ceph/dir.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c index bac9cfb6b982..27ce9e55e947 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -769,7 +769,8 @@ struct dentry *ceph_finish_lookup(struct ceph_mds_reque= st *req, d_drop(dentry); err =3D -ENOENT; } else { - d_add(dentry, NULL); + if (d_unhashed(dentry)) + d_add(dentry, NULL); } } } @@ -840,7 +841,8 @@ static struct dentry *ceph_lookup(struct inode *dir, st= ruct dentry *dentry, spin_unlock(&ci->i_ceph_lock); doutc(cl, " dir %llx.%llx complete, -ENOENT\n", ceph_vinop(dir)); - d_add(dentry, NULL); + if (d_unhashed(dentry)) + d_add(dentry, NULL); di->lease_shared_gen =3D atomic_read(&ci->i_shared_gen); return NULL; } --=20 2.47.3