From nobody Mon Jun  8 20:56:39 2026
Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com
 [209.85.128.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3656F3AC0C2
	for <linux-kernel@vger.kernel.org>; Tue, 26 May 2026 20:08:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=209.85.128.178
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779826108; cv=pass;
 b=FiYf50/47Y1LIwQHuaUCQ2u9oJuZLlHkm9iZvHvYud3tHkpGfCnGVdFI7YC/t1/NDQE5kt2lmvcxxJe1GrCYd70RuTn3Fy5LfB2MTVygM4AzHf913CMybUutK27HZ9Zzv+ABxayjLQ511kEobFShvvVMtGPjgsBE9pac1aBZd14=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779826108; c=relaxed/simple;
	bh=Rlp7ptvGdOPEvwH1H0sCx96syeuaJe0NnVj/weJyjpU=;
	h=From:In-Reply-To:References:MIME-Version:Date:Message-ID:Subject:
	 To:Cc:Content-Type;
 b=lFH11ERhyhUKdCokac0Xh79+934buJWyCbft4Oo/XNeRQHmy1kdgELycOMkcOeTIRo9p+d4Ic/My4o8JAZlrFWImu1V9B48tnCmz6lccIoLQ37j24dFsugZ7OFZVLPgYB57BEDq4mHfSuki1MN8KGWDLyl9L8ZtjkaD72rKaHlI=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu;
 spf=pass smtp.mailfrom=berkeley.edu;
 dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b=I7BD/ihd; arc=pass smtp.client-ip=209.85.128.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b="I7BD/ihd"
Received: by mail-yw1-f178.google.com with SMTP id
 00721157ae682-7bd6f65c781so90486417b3.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 26 May 2026 13:08:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779826106; cv=none;
        d=google.com; s=arc-20240605;
        b=CSBBGtUHK7DmbDLy9SLaXox2tdrdl5F5J3nnyjj9hpDjFxLOpqGCW0Nx0VlNQylobT
         m2fQkfE/sisB5HIujGq9Y+qmiKxcA2CIgiBGgpcLHh6EhIBWQpXD8C/SMXpTybDtgNpB
         LqAn0IaAN7CscomxKkVEAOviRi7GYePnuGy90+oiG0Qsdyd36hoyVkGfklYh4XS762+U
         GnJBNem9/PpX+CR+OiPGr8eM3Y66+2Iv02hFHU7z8etvS2buxABTMsfhNfez+D8SC2Yd
         9Z7+rQxAbNYgvT3Y6f4xE05Uf4FHKsG3ZEkAknDycImHBwPbDgVFUFR0389FBSI9Xi4Y
         N7Bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
         :from:dkim-signature;
        bh=UAr1plF6602l9mOlJseQlxt0GW0eM2OrV/U6+hqix/0=;
        fh=WCo1TY+qSM4QiOybdxhnWGL7HBoEHWXPxmkFwmQvl2Q=;
        b=J7oIvW5jSTTGTl/WPvDBbkR09YRMsk+T3zJc5+8z0SVvk6rPYDsvb3JeBCWIw4wU6+
         JovQgsDoVL2aMcDUAU+DzSreU8QvPz+EwWLsuuscoi1qylNzalP7PJ9x0k/FlTUPdFeU
         PdC7aP1rWKGA8qZ0QRdHov2SSAtnS0E7NF7DCYY5iloapG9Xvr6zUw1Z3L/UrCeA38Bt
         uT8tnCaZb9agRTRv07b9YctlZlrR5dsExWS0SXUIh2w6UfP/0cgVtFtQ8RT208RQU/Zn
         5sKE+VPhvYHCrqfdhwS8xQ0UW4yCuH5bI5ujJMJtqKzQ5RpWPLEIlbbol/IJuZbguML/
         Aj6Q==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=berkeley.edu; s=google; t=1779826106; x=1780430906;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=UAr1plF6602l9mOlJseQlxt0GW0eM2OrV/U6+hqix/0=;
        b=I7BD/ihdFrPfk84YAHWmctOCM0s+Rag7QcZX5haRj9QhvXuxXJ/lwIIKuTSQ3ZJnzB
         HpOtobR2qs3WMDrFO4SCmxZ8742Oh2ZnQTHyTf7Fgkz9EK/Q1u4OBmOj7nOw7m7umTk7
         O/F54xrvNb3JvrqafZAr0FehwO2dEYogrzxHLBp1qdECZUQX2WfAZefwaFOTKMkruOom
         HDapWWufeTuVni8HYZ1iJG7TJgAnKCm8WHNPbq/TjYFntfOnEwgQ8c4qdCjXKlpj+Nix
         vlrOz48O+NjASMI7LJaG0eYkGzUWLX8R8hQv+EtwgrJxnhcVUqoAr/lX/Ua+t/Zd/w3x
         oy6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779826106; x=1780430906;
        h=cc:to:subject:message-id:date:mime-version:references:in-reply-to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=UAr1plF6602l9mOlJseQlxt0GW0eM2OrV/U6+hqix/0=;
        b=XI6iarIh35V1sMkjsfLmddhHjSKH64hMkn1YiSkERjD2UrumMCPVsD6s7RJJmk6wLS
         HiNaCEFpxOTRS9lJQ+xMn2agClkmBfv50Mixt9uXqhbyhS5vq/nz1A0x83GWNioZdY3n
         nfmM4xF30LhE/k5hGOJeTjRAI1WCwD0hUlu2eCQsj84hXiovb79bn+fFFDDfXqHLJ6/x
         PJ5RK/+7QMyXfPC5Mn63I3pmx23zQ/GFUzo3puSaCUe4lGu/g330pMxqXkR9RLqE7gSk
         KtRABV5R08Pn+9ZqymtaOQHB7PdrQm5/yQjo7Xle2OsklDW5wAJ0GQr8+IGNckBeRX4q
         sj0Q==
X-Forwarded-Encrypted: i=1;
 AFNElJ9jtTw1ket+nzkjn+8u58sfATqGWiGQ3wyggbtoe0FXv0qnDGN7Y6SnvWozBCGoMjOBeXSCjFcbDD7FJFI=@vger.kernel.org
X-Gm-Message-State: AOJu0YybmlgyncSCdj1AyM9cvhod8lRnsJCBIN1Uq9kBGHRDD2S18NvO
	R3Fh6+6GKT/On5qJffr4pSnoRWITZhCark1rV2gpch4i+2HBe4gQ+nrEIssj4Tk3RHWMRdzHylr
	TgsyVr/Ci765jfjGcFTGTS+i7DVVmbGX7mAEYVHzrPrhRcSeXCC8w+w==
X-Gm-Gg: Acq92OFPTT46w345I1GJbvCwldqF0X8eMSmNFC8Ou1Fvq/XJnmZdRc1Zuppr6s/Lhpn
	qjQ6yWru446k6Soj5xclAHCQMUf2lqf3rbZGe2LQEMTXkCggo36HhA+kS+M+nFUFm/jRAMrd8Eq
	PpOFo36TCQoHfrNxt1VoVXksQcF7mJFFReMQ7d+FHEbRfl629h7R2xo5JelqFgEbljHVwWoeSla
	+9lWb1lAQKAsxysRdI8SA/n/+joOQfD9NYKOq2ACIB2Hm6/KSMYhAehgpJHf9SrC43LBx911fH6
	OICSjUGeyQ==
X-Received: by 2002:a05:690c:46c1:b0:79a:b49a:cb4e with SMTP id
 00721157ae682-7d355e31731mr165356687b3.6.1779826104834; Tue, 26 May 2026
 13:08:24 -0700 (PDT)
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 26 May 2026 16:08:23 -0400
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Tue, 26 May 2026 16:08:23 -0400
From: Farhad Alemi <farhad.alemi@berkeley.edu>
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
 <CA+0ovCiA7huMwMxvWgC8km2P+gJwd-jax+ACo=EbGrJ6FVp55A@mail.gmail.com>
References: 
 <CA+0ovCiA7huMwMxvWgC8km2P+gJwd-jax+ACo=EbGrJ6FVp55A@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Date: Tue, 26 May 2026 16:08:23 -0400
X-Gm-Features: AVHnY4Lznba3h-1sWnAHg7p6Ba1LoCTNt8ov451l1mLyC8_T4wgN1wSwBMgq_fw
Message-ID: 
 <CA+0ovCgDzWA0w83WsW0r1eUKKejt7NTHK+c-=r1GkzJD0__6sg@mail.gmail.com>
Subject: [PATCH] affs: split hash-lock subclass and reject self-referencing
 dir entry
To: David Sterba <dsterba@suse.com>
Cc: Christian Brauner <christian@brauner.io>, Jan Kara <jack@suse.cz>,
 linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

affs_remove_header() acquires i_hash_lock on the parent directory at the
top of the function and again on the child inode inside the ST_USERDIR
arm, both via affs_lock_dir() which uses SINGLE_DEPTH_NESTING. Lockdep
sees two acquisitions of the same lock class in the same task at the
same subclass and warns:

  WARNING: possible recursive locking detected
  syz.2.17/3573 is trying to acquire lock:
  ffff888123db0778 (&ei->i_ext_lock/1){+.+.}-{4:4}, at: affs_lock_dir

affs_remove_header+0x72f fs/affs/amigaffs.c:296
  but task is already holding lock:
  ffff888123db0100 (&ei->i_ext_lock/1){+.+.}-{4:4}, at: affs_lock_dir

affs_remove_header+0x261 fs/affs/amigaffs.c:289
  Call Trace:
   affs_lock_dir fs/affs/affs.h:311 [inline]
   affs_remove_header+0x72f/0x1ab0 fs/affs/amigaffs.c:296
   vfs_rmdir+0x20b/0x6a0 fs/namei.c:4446
   do_rmdir+0x2ed/0x3c0 fs/namei.c:4524
   __x64_sys_unlinkat+0xf4/0x140 fs/namei.c:4692

With panic_on_warn this terminates the kernel. The two lock instances in
the report are distinct inodes (db0778 vs db0100), so what lockdep is
reporting is two acquisitions of the same lock class at the same
subclass -- a missing subclass distinction in the annotation. Trigger
requires the ability to mount a crafted image (CAP_SYS_ADMIN or
equivalent) and is reproduced by rmdir() of a subdirectory under a
crafted AFFS image.

The same locking pattern is also vulnerable to a strict self-deadlock
on a crafted image whose on-disk hash table contains an entry with i_ino
equal to its containing directory's own block number: affs_iget() would
return the same in-memory inode for both d_inode(dentry) and
d_inode(dentry->d_parent), and the two affs_lock_dir() calls would take
the same mutex twice. No lockdep distinction would prevent this since
the same lock instance is acquired twice.

Address both by:

  1. Adding affs_lock_subdir() that uses SINGLE_DEPTH_NESTING + 1, so
     lockdep can prove the nested parent->child acquisition is safe.

  2. Rejecting the case where the parsed child inode coincides with the
     parent before taking the second lock, returning -EIO under the
     existing done_unlock path so all previously-acquired locks are
     released cleanly.

Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Closes: https://lore.kernel.org/lkml/CA+0ovCiA7huMwMxvWgC8km2P+gJwd-jax+ACo=
=3DEbGrJ6FVp55A@mail.gmail.com/
Signed-off-by: Farhad Alemi <farhad.alemi@berkeley.edu>
---
 fs/affs/affs.h     | 6 ++++++
 fs/affs/amigaffs.c | 6 +++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/fs/affs/affs.h b/fs/affs/affs.h
index a0caf6ace860..c4af169294ed 100644
--- a/fs/affs/affs.h
+++ b/fs/affs/affs.h
@@ -313,6 +313,12 @@ affs_lock_dir(struct inode *inode)
 	mutex_lock_nested(&AFFS_I(inode)->i_hash_lock, SINGLE_DEPTH_NESTING);
 }
 static inline void
+affs_lock_subdir(struct inode *inode)
+{
+	mutex_lock_nested(&AFFS_I(inode)->i_hash_lock,
+			  SINGLE_DEPTH_NESTING + 1);
+}
+static inline void
 affs_unlock_dir(struct inode *inode)
 {
 	mutex_unlock(&AFFS_I(inode)->i_hash_lock);
diff --git a/fs/affs/amigaffs.c b/fs/affs/amigaffs.c
index bed4fc805e8e..fefc2bb11d43 100644
--- a/fs/affs/amigaffs.c
+++ b/fs/affs/amigaffs.c
@@ -293,7 +293,11 @@ affs_remove_header(struct dentry *dentry)
 		 * i_hash_lock of the inode must only be
 		 * taken after some checks
 		 */
-		affs_lock_dir(inode);
+		if (inode =3D=3D dir) {
+			retval =3D -EIO;
+			goto done_unlock;
+		}
+		affs_lock_subdir(inode);
 		retval =3D affs_empty_dir(inode);
 		affs_unlock_dir(inode);
 		if (retval)
--=20
2.43.0