Unverified Commit 1635c2ac authored Mar 27, 2026 by NeilBrown Committed by Christian Brauner Mar 31, 2026

cachefiles: fix incorrect dentry refcount in cachefiles_cull()



The patch mentioned below changed cachefiles_bury_object() to expect 2
references to the 'rep' dentry.  Three of the callers were changed to
use start_removing_dentry() which takes an extra reference so in those
cases the call gets the expected references.

However there is another call to cachefiles_bury_object() in
cachefiles_cull() which did not need to be changed to use
start_removing_dentry() and so was not properly considered.
It still passed the dentry with just one reference so the net result is
that a reference is lost.

To meet the expectations of cachefiles_bury_object(), cachefiles_cull()
must take an extra reference before the call.  It will be dropped by
cachefiles_bury_object().

Reported-by: Marc Dionne <marc.dionne@auristor.com>
Fixes: 7bb1eb45 ("VFS: introduce start_removing_dentry()")
Signed-off-by: NeilBrown <neil@brown.name>
Link: https://patch.msgid.link/177456350181.1851489.16359967086642190170@noble.neil.brown.name


Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>

parent d0c3bcd5

fs/cachefiles/namei.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -810,6 +810,11 @@ int cachefiles_cull(struct cachefiles_cache cache, struct dentry dir,
		if (ret < 0)
		goto error_unlock;

		/*
		* cachefiles_bury_object() expects 2 references to 'victim',
		* and drops one.
		*/
		dget(victim);
		ret = cachefiles_bury_object(cache, NULL, dir, victim,
		FSCACHE_OBJECT_WAS_CULLED);
		dput(victim);