On Wed, Jan 6, 2021 at 10:16 AM Amir Goldstein <amir73il@gmail.com> wrote:

> Please note that NFS doesn't do "silly rename" for directories,
> so mitigation is mostly needed for non-dir.

Okay.

> An alternative method if daemon is not capable, is to store parent dirfd
> in addition to filehandle and implement open_child_by_handle_at(int
> parent_fd, ...):
> - readdir(parend_fd)
> - search a match for d_ino
> - name_to_handle_at() and verify match to stored filehandle
>
> This is essentially what open_by_handle_at(2) does under the covers
> with a "connectable" non-dir filehandle after having resolved the
> parent file handle part. And "connectable" file handles are used by nfsd
> to enforce "subtree_check" to make sure that file wasn't moved outside
> obtainable path after initial lookup.

Yes, sort of makes sense, but will have corner cases for hard links in
different directories, open files after unlink, etc..

Also back to the original problem: what we really want is to close the
O_PATH descriptor on unlink().  This should be possible, regardless of
any FORGET, assuming

1) no open files exist that reference the inode
2) no aliases have been looked up (i.e. just one cached dentry)

The attached untested patch tries to do this.

Thanks,
Miklos