ceph: fix unsafe dcache access in ceph_encode_dentry_release

Accessing d_parent requires some sort of locking or it could vanish
out from under us. Since we take the d_lock anyway, use that to fetch
d_parent and take a reference to it, and then use that reference to
call ceph_encode_inode_release.

Link: http://tracker.ceph.com/issues/18148
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Yan, Zheng <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 94fd76d04683..d1b4c543cab1 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -3926,7 +3926,7 @@ int ceph_encode_inode_release(void **p, struct inode *inode,
 int ceph_encode_dentry_release(void **p, struct dentry *dentry,
                                int mds, int drop, int unless)
 {
-        struct inode *dir = d_inode(dentry->d_parent);
+        struct dentry *parent;
         struct ceph_mds_request_release *rel = *p;
         struct ceph_dentry_info *di = ceph_dentry(dentry);
         int force = 0;
@@ -3941,9 +3941,12 @@ int ceph_encode_dentry_release(void **p, struct dentry *dentry,
         spin_lock(&dentry->d_lock);
         if (di->lease_session && di->lease_session->s_mds == mds)
                 force = 1;
+        parent = dget(dentry->d_parent);
         spin_unlock(&dentry->d_lock);
 
-        ret = ceph_encode_inode_release(p, dir, mds, drop, unless, force);
+        ret = ceph_encode_inode_release(p, d_inode(parent), mds, drop,
+                                        unless, force);
+        dput(parent);
 
         spin_lock(&dentry->d_lock);
         if (ret && di->lease_session && di->lease_session->s_mds == mds) {