Re: [PATCH] fs: make sure to fail try_to_unlazy() and try_to_unlazy() for LOOKUP_CACHED

[Chris Mason]

On 12/12/25 7:11 AM, Mateusz Guzik wrote:
> Otherwise the slowpath can be taken by the caller, defeating the flag.
> 
> This regressed after calls to legitimize_links() started being
> conditionally elided and stems from the routine always failing
> after seeing the flag, regardless if there were any links.
> 
> In order to address both the bug and the weird semantics make it illegal
> to call legitimize_links() with LOOKUP_CACHED and handle the problem at
> the two callsites.
> 
> While here another tiny tidyp: ->depth = 0 can be moved into
> drop_links().
> 
AI flagged that last ->depth = 0 in drop_links().  I made it list
out the ways it thinks this can happen to make it easier to
call BS if it's wrong, but I think you can judge this a lot faster
than me:

> diff --git a/fs/namei.c b/fs/namei.c
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -774,6 +774,7 @@ static void drop_links(struct nameidata *nd)
>  		do_delayed_call(&last->done);
>  		clear_delayed_call(&last->done);
>  	}
> +	nd->depth = 0;
>  }
>
>  static void leave_rcu(struct nameidata *nd)
> @@ -799,7 +800,7 @@ static void terminate_walk(struct nameidata *nd)
>  	} else {
>  		leave_rcu(nd);
>  	}
> -	nd->depth = 0;
> +	VFS_BUG_ON(nd->depth);
>  	nd->path.mnt = NULL;
>  	nd->path.dentry = NULL;
>  }

Moving nd->depth = 0 into drop_links() appears to break terminate_walk()
in non-RCU mode. The function reads:

    static void terminate_walk(struct nameidata *nd)
    {
        if (unlikely(nd->depth))
            drop_links(nd);              // <-- now sets nd->depth = 0
        if (!(nd->flags & LOOKUP_RCU)) {
            int i;
            path_put(&nd->path);
            for (i = 0; i < nd->depth; i++)   // <-- nd->depth is 0 here
                path_put(&nd->stack[i].link); // <-- loop never executes
            ...
        }
        ...
    }

When terminate_walk() is called in non-RCU mode with nd->depth > 0 (after
following symlinks), the path_put() loop for nd->stack[i].link will run
zero iterations because drop_links() has already zeroed nd->depth. Can
this leak references on the symlink paths stored in nd->stack[]?

Concrete paths where this can occur:

1. Retry after RCU-walk failure (non-RCU from the start):

   filename_lookup()
     -> path_lookupat(&nd, flags | LOOKUP_RCU, path)
     -> returns -ECHILD
     -> path_lookupat(&nd, flags, path)   // retry WITHOUT LOOKUP_RCU
         -> path_init() in non-RCU mode
         -> link_path_walk() follows symlinks
             -> pick_link() calls mntget() and increments nd->depth
         -> terminate_walk()              // nd->depth > 0, refs held

2. Mid-walk transition via try_to_unlazy():

   path_lookupat() in RCU mode
     -> link_path_walk() follows symlinks, nd->depth > 0
         -> pick_link()
             -> atime_needs_update() returns true
             -> try_to_unlazy()
                 -> legitimize_links() takes refs on nd->stack[].link
                 -> leave_rcu() clears LOOKUP_RCU
     -> error occurs later
     -> terminate_walk()                  // nd->depth > 0, refs held

3. Transition via complete_walk():

   path_lookupat() in RCU mode
     -> link_path_walk() follows symlinks, nd->depth > 0
     -> complete_walk()
         -> try_to_unlazy()
             -> legitimize_links() takes refs
             -> leave_rcu()
     -> later check fails (e.g., -ENOTDIR)
     -> terminate_walk()                  // nd->depth > 0, refs held

In all these paths, nd->stack[i].link holds references that should be
released by the path_put() loop in terminate_walk(), but the loop runs
zero iterations because drop_links() has already zeroed nd->depth.

[ ... ]

-chris