This problem happens anyway when one or more processes have that
directory as their root or cwd, referring to it by open inode.

In article <v15gcp$18g38$***@dont-email.me>, <***@dastardlyhq.com> wrote:
...
Without hard links, you could not have a Unix filesystem.

So, you do need them.

Oh, I see. And if we were to fix this by removing the directory as well
in the two or more places it was linked to? Wouldn't it be useful as a
single directory that has two absolute paths? That seems useful to me.

Note that unix filesystems support a limited, controlled subset of hardlinks:
the "." and ".." directories found in each directory. The OS controls the
creation and deletion of /these/ hardlinks from within, as part of the mkdir(2)
and rmdir(2) syscalls. And, the only cyclical hardlink (that I know of, anyway)
lives as "/..", which links to itself.

As for a cyclical hardlink, imagine the following:
# Build a disposable directory
mkdir /tmp/dumb

# Populate the disposable directory with a cyclical hardlink
ln /tmp/dumb /tmp/dumb/dumber

# Now, let's empty the disposable directory
rm -rf /tmp/dumb

What does the "rm -rf" do when that "ln /tmp/dumb /tmp/dumb/dumber" actually
creates a hardlink from /tmp/dumb/dumber to /tmp/dumb ?

You mean, trouble some cyclicity that is detectable with a lot of
annoying fuss, that has to be done wherever the filesystem is being
recursively traversed.
If you keep the path of inodes you have visited in order to reach a
certain directory, then you can detect a cycle by checking whether a
newly visited directory is one of the elements of the path. Since
paths are reasonably short, you don't need any fancy hash data structure
for this; a linear scan will work fine in most cases, and so you can
represent the path as a linked list that is allocated on the stack,
if working in C.

void recurse(..., visited_node *parent)
{
visited_node current = { .up = parent };
// ...
}

The cyclic check is simply chasing the parent->up pointers to see if any
of the visited nodes is the same object as the newly visited one.

The problem is:

1. Everything that performs traversals of the filesystem now *has* to do
this, or risk being stuck in a loop. There is a bad habit in the
Unix programming culture of people rolling their own filesystem
traversal functions. Some of them would get it wrong, ending up in
infinite loops.

2. Even if you have cycle detection, you still have the problem that
every recursive traversal performed anywhere runs the risk of
potentially visiting the entire filesystem!

Directory hard links could be restricted to being downward-only. So that
is to say, if you create a P/C -> D hard link, then X is required to be
a descendant of P, such as P/X/Y/D.

To check that without race conditions, the kernel would have to lock
down all operations on that filesystem during the link operation.
Starting at D, it could navigate the parent .. links until it hits
the root directory, P, or hits a mount point crossing. If it finds P,
then it can conclude that the link can be made. (Without TOCtoTOU
if things are properly locked down.)

Holding a lock over a complex operation like that could open an avenue
to a DOS attack against the filesystem. Imagine a swarm of threads doing
directory linking operations, causing that lock to be excessively held.

The descendant restriction would make directory hardlinks inapplicable
to some people's use cases. (Oh well, they'd have to use symlinks
for those situations.)

Multiple cycle-detection algorithms have been well known for decades.
Something gets stuck in a loop.

In the hypothetical where hard-link directories was possible, filesystem
traversers would have to take into account the possibility of
cycles. It’d be an extra implementation detail, comparable to the way
real ones have to take into account the possibility of the filesystem
changing as they progress, or accept with the consequences if they
don’t.

You’re on stronger grounds with “unnecessary” but a three-very bad idea?
Insufficient evidence at best.