From nobody Mon Jun  8 22:56:08 2026
Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com
 [209.85.128.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB63F2EB10
	for <linux-kernel@vger.kernel.org>; Tue, 26 May 2026 02:16:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=209.85.128.175
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779761808; cv=pass;
 b=UdjAQ80JRDBWMxQKapsMMvMDSIXEIIjjpeXRdoa+uJFNgWTnVF8y2TpJ5FDJDFGRjAQEzR507+1VUkiu0n0D5/IxlgfAwQZbA+TjItO+YMWBtC+BoiaIQBuf5UZ2Ac/BXR99bTkAUqQsgm78QRt9BztT0fAkqvaP4AnexjwJvZI=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779761808; c=relaxed/simple;
	bh=DoILNNeqxH41jedfRaAeiSUgjh4yN7lclTcGJYuQcEQ=;
	h=From:MIME-Version:Date:Message-ID:Subject:To:Cc:Content-Type;
 b=LiZBVhJl4shxV1eLxxuMKVShNOvBNX+F3TozfpPpwcXjKg0oJT2a6pR+iDDEqZuPcHAtF27v/oJg0EYpWzFp62YxVK2oGm4j4CH7FjqDFRo5ZztBUMoZo0Gpj7hRts9oumauaZUtTGveuLfuK6LSEsa8dx6EruqcnOlihOrnj4w=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu;
 spf=pass smtp.mailfrom=berkeley.edu;
 dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b=A/my9U8g; arc=pass smtp.client-ip=209.85.128.175
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b="A/my9U8g"
Received: by mail-yw1-f175.google.com with SMTP id
 00721157ae682-7c7fc722b50so76969137b3.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 19:16:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779761806; cv=none;
        d=google.com; s=arc-20240605;
        b=hbjjJOSO23ysBUX2uhXmEAwPLKqDU5g2FPWKzHuKS6qVifhTSrQiR/5sCxso5Dls4N
         aP8fxE4werJIafPeEJm259Ndj+30ZfN/yyeoGMvqjWylhubjVn95+s4DJ+wkjuH+pfBG
         WVUZSo6gS1NHc7PrpOzaWAJOsqLYKm/74+HiV6Iv0afo2Znn2ObFKuBayGl694X+6eBx
         Kjr8DdRsOir2u+NfNxR6HSnIqvY7s/jsIWmSN+jKybLkwblsnJoLdhfD8r5b1FA3wNwt
         EE9cLKqJUfuSNDK56imGnlQfK6iS90y1EbxGLZVMKuRbnrFTNyxZM/tXXE+F47oN4cXD
         LMuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:mime-version:from:dkim-signature;
        bh=HjGgQCJb397/AHaa//BegFfCtj5XxpuSW9IyLiumWuU=;
        fh=MTHVVC4FaCh/9+zhuvK/wq3QewkaTNXAR8qC3GLoIpU=;
        b=CNYOS2tTVoby1QiCgqCiBWEMMoz9hdVKRpGCcRsRF/YOJyMHeLVn7/OOAhnWGMlsA3
         OpKfu+buVPn2SynHKCA8QsuHgZZBGSirWPwkI8yJWN0OBjBKx4dpxi4r1ZiEyLNMOM9t
         o921HvE8iU4kG7gOkZZB7F7Iaa/7sLSp0KELL3oJHl5MvjEMocAF7hAgRlDI/pzbkKKS
         DysRZOybbgrAlCsC0REYJIz9AX6bWotrlaH05LevxRxb3Hb97fB2QRAywRqH3HM/1gY4
         UhkdiNSGI3eyKdHLaSOvjiAXbU7XAJXO8nEo9Bat+1acChZXXohpurhz5LZDF3iydz+n
         3SZw==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=berkeley.edu; s=google; t=1779761806; x=1780366606;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:mime-version:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=HjGgQCJb397/AHaa//BegFfCtj5XxpuSW9IyLiumWuU=;
        b=A/my9U8gEMJcVf87YiGwqzux7w93Yyyj8F80jvw0oHHUIR0CevdstkHVly5mKsVeAS
         nAfjBzu7LhtO43Y9WwRj++GkzudieodGThZN01jAM83WrqdaukcGwxgfM5kHXroyXaCq
         elbQrHphXi5iqj6ObturJU91DQI+6oHuQFc4TI4fX24N0rLSRukvqWMr9WTtzBfjQyys
         LtY1uEyS7SU5ReO2nQAflkAkwC1u5cYyg65NeGS2/8eaIY7QnW6MFiDTHQaUTx8shaNK
         WPOj5V32bJsF/Mfi1PGAS7RtZdvPuU4n7yIU6nKvC2mHqECr2eYD6LJMNoYfBSDIWF7n
         ZYfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779761806; x=1780366606;
        h=cc:to:subject:message-id:date:mime-version:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=HjGgQCJb397/AHaa//BegFfCtj5XxpuSW9IyLiumWuU=;
        b=Js27ZCEsVzla+jW9XxOKB9sM4/g/Vqas7crogzIwi4qTaPIGBcwzQKuFbeOsb2jJVf
         AeD58ImVTSvD/H2Zp2CfbkC0BKl3yoYtAeSzSMUUdc+SQK20L8qYJTuAOCA+/2lMb2Fy
         MEGugsrozaq9mHa8hY+SQE2kBslMgG/7AM2bc5/1reZxQKbicrvPBtbhFnVmyqW9BBqn
         GnEIPsB6u0NwJsioDr6CsRYZi8eUW23mYB73ligCR3JqlHD7TaRdgmfhcQZ2RlclOfm2
         xF/hNlGFao1Nypa/Gvtpz8A4V42zUBUDVlRessBLnYkgYuVE9GZ4ya9dfqvrQm+IGoL3
         Z+Jw==
X-Forwarded-Encrypted: i=1;
 AFNElJ/sBooaiSrxadmIn+eCH4Z97D/qbx06wGKrNjeO483/tmyn9thgP02TsvNr9Bt079xIMtE5vBewWQmnLSU=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz8jY6f/SEWv5JxjpnaqnJHCSOr/dSbMlTTE3YkCzwUGgkj/QD/
	7xxS94y+jQyeks0LuxTkiJlRqfpHPLOsGgHpRRooJhKiTFrBBd7jC9tVF01S1Xdvmu7s5AFxcz7
	7xnn4AGuCzTCLU9qmtY57f2R3EnL6vZw4spEye57C
X-Gm-Gg: Acq92OEUWtwJdi9+y16vux40oo0/9q7HVAnK1e56UKu75fhqBz4xAKWrWejcK9BhO9b
	Gs7A5QDCiI/t79pkhUIQ6WgqEPx7RdVAuNjOBeY/13zoVUxUpIARI0QurOlAjYM2eGVvQ05zuw1
	5D6NG5JpU64XgwW7ElHgdWEOWAexuRsY42Hght2GY0pGLFNlzD+Bcj8I5Kp3jYYnWKnMq4MDlla
	jKvL8gZmNPFTdtAOek4tERQygn35oDdM2HUjrsJ3XlGFJ9QB420RTj4PTK/Q+J8tQh2FwNUUUi/
	zx4myBLcjA==
X-Received: by 2002:a05:690c:4486:b0:7d0:ef8:6898 with SMTP id
 00721157ae682-7d333dcd235mr172828517b3.14.1779761804763; Mon, 25 May 2026
 19:16:44 -0700 (PDT)
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 25 May 2026 19:16:44 -0700
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 25 May 2026 19:16:44 -0700
From: Farhad Alemi <farhad.alemi@berkeley.edu>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Date: Mon, 25 May 2026 19:16:44 -0700
X-Gm-Features: AVHnY4LnOz-Lj7DewSLB5aGb-AiJI5KmyXtvU8-Qu1OXQtqAo7qOklRH_EqvdpI
Message-ID: 
 <CA+0ovCjJwMoTa8=PEiYGXEhqC5Af7h5guqEnAs5kv95M295N3g@mail.gmail.com>
Subject: [PATCH] affs: don't instantiate dentry if affs_insert_hash failed
To: David Sterba <dsterba@suse.com>
Cc: Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
 linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

affs_add_entry() calls d_instantiate() unconditionally after
affs_insert_hash() returns, even when the hash insert failed. When the
parent directory's block cannot be read (e.g. -EIO from affs_bread on a
crafted image), affs_insert_hash() returns the error, but the dentry
has already been bound to the freshly-created inode by d_instantiate().
The callers (affs_create / affs_mkdir / affs_symlink) then run iput()
on the inode in their error path, dropping its refcount to zero and
evicting it through affs_evict_inode().

The dentry still holds a pointer to that now-evicted inode. On umount,
shrink_dcache_for_umount() walks the dentry and __dentry_kill() calls
iput() on an inode already in I_FREEING|I_CLEAR, hitting the
VFS_BUG_ON_INODE() at fs/inode.c:1980:

  VFS_BUG_ON_INODE(inode_state_read_once(inode) & (I_FREEING | I_CLEAR))
    inode:... fs:affs mode:120777 ... state:0x300 count:0
  kernel BUG at fs/inode.c:1980!
  Call Trace:
   iput+0xe29/0xe80 fs/inode.c:1980
   __dentry_kill+0x20e/0x710 fs/dcache.c:718
   shrink_kill+0xa9/0x2c0 fs/dcache.c:1195
   shrink_dentry_list+0x2e5/0x5f0 fs/dcache.c:1222
   shrink_dcache_for_umount+0xa5/0x170 fs/dcache.c:1738
   generic_shutdown_super+0x74/0x2d0 fs/super.c:624
   kill_block_super+0x49/0xa0 fs/super.c:1725
   affs_kill_sb+0x4c/0x160 fs/affs/super.c:590

Reproduced by mounting a crafted AFFS image whose root-directory header
block is unreadable, calling symlinkat() to create an entry under it
(which reaches affs_add_entry() with retval !=3D 0 from
affs_insert_hash()), and letting the mount tear down. Trigger requires
the ability to mount a crafted image (CAP_SYS_ADMIN or equivalent).

Only call d_instantiate() when affs_insert_hash() succeeded. On the
error path the dentry remains negative, so the caller's iput() correctly
disposes of the unbound inode and no stale dentry-to-evicted-inode
binding survives into umount.

Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Signed-off-by: Farhad Alemi <farhad.alemi@berkeley.edu>
---
 fs/affs/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/affs/inode.c b/fs/affs/inode.c
index 5dd1b016bcb0..517d40c6c7df 100644
--- a/fs/affs/inode.c
+++ b/fs/affs/inode.c
@@ -407,7 +407,8 @@ affs_add_entry(struct inode *dir, struct inode
*inode, struct dentry *dentry, s3
 	affs_unlock_dir(dir);
 	affs_unlock_link(inode);

-	d_instantiate(dentry, inode);
+	if (!retval)
+		d_instantiate(dentry, inode);
 done:
 	affs_brelse(inode_bh);
 	affs_brelse(bh);
--=20
2.43.0