From nobody Tue Dec 2 00:24:18 2025 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66B6E3161B8 for ; Tue, 25 Nov 2025 11:04:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764068647; cv=none; b=gDoVmu9TqUeiT/ZB1sNtG0ePU//mRVsKbPuTB1HpnnqxKfA0TOxE9SprpNQVYitPg7SBTuXQeI6L7lZb2qBoMDyAtsDpChTBD0/nucxABbA7RVqmAQdHYHHmhhzMWRo609CqKnf9IanK+uM4EAk6lQNQF5TroD1h0q18/ZYz0X4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764068647; c=relaxed/simple; bh=DqiP0nI4hpJzScjnN8dDYEbW0vfjGJ9slxWL7nnQJsk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UICD2a/K6aCihc0uMwmJ80Ao+3RwZHdRuVVkUcOV5Iz/nqUjYwcNhpxUrcGZDsUvTKkB2vKFyn/4pU3qtAtu6En6fFFYt4NYTt0kRIBqElKxRtfcZ1oHPB5dWXAPufs+K0HVgk8ZlYSK4cYHN+MlvKY4jk6Oxcts7Vyp0NwL6kQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nHKwnKp3; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nHKwnKp3" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-298145fe27eso84347945ad.1 for ; Tue, 25 Nov 2025 03:04:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764068644; x=1764673444; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1RfJ8pHYkiapmvTEdtwB8y3M8ZNQzNCtg8sYxHG6V+s=; b=nHKwnKp3uPmE39V3W5BlUscPNL3C8G7oSLDsfF0Qt7zCTcO2hShNmbWYs9iGU2FT6S Q/ndKkE6/iO+mV3YHpa9HzU1OA7bQef0wn2WkzT2nj2JU2PZp+H2lpeYliffOl5rURBF S3p/bwVPzMLso1MjfKUSzFxhCnczTYsretsHHrWvQoNZqLMeVBPRQnAKcvZ77iDJANzM T/WpjXfp1qO1Mf3DakP3zwQKfvYlj8ZrfI0rUeG2lOlLWx1mOnYmFrMaeJ2eA1ZHfsyC af/Y2AZ3anhgcsKDBwOWdY+u3/F4MEb/aTWT6B61DQ+3/S/I4GtOuHNfmhIFamUKqE8S WgXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764068644; x=1764673444; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1RfJ8pHYkiapmvTEdtwB8y3M8ZNQzNCtg8sYxHG6V+s=; b=F6omxGB8g1Q3v80IRg5VBIC2Y5YbE3IgV/eU1UDLe93LF5MFKOO3WgAxsYovenD1An 6iXOiQB3CFM9ERG4UOP2MSidjgv+VAeKkspYSzMLi6urX1dYSiJJ//4CUo9yY5viIhh9 BKlVl14dJO/1Fgxf6AMkc+rrcH7ixoN1JglyKm89HtTg7VhzpUQxUTPQcOOcyC7sY7nX 5tdOCd2Q8S9MrUuIdj0VB9fdy2bGQ6v77ZWdq44laZNIA/zftqvSSmpzoalCyRMuFgzn 39N59UPmU5N173Wo0JfXdwlhVygnhrn+Fr36oObruQeCP9qo8ZxzgjuXTO3J4601AJk9 QZiw== X-Forwarded-Encrypted: i=1; AJvYcCXOo8fMS3eLQY2RKkJn8P3j6tIejiodeeTehGnQBSsbqBUYGC/Dv0fofzV6+ID3LAoCahR/W096v0uJFyE=@vger.kernel.org X-Gm-Message-State: AOJu0Yz4W/UK8HKhcXN+QAFQl91s4QszlSPX++KwDYG2icbiewZ36Sp4 S5/ltiXKIz9zo0Yt9j5b/vaAUfHgB3iXcjyURs3Lch61IfNaxQ64soAL/liyumSt6jk= X-Gm-Gg: ASbGncvjUHqDdEFHbdAyTJd2mgcf6x2Ot7mOuKyBToS0ZvGzt286JS9Sk2Ur5vUubRP CgWS1N/lao2lJSfTKfIXuMU8l2j/G7uoVBaKPl5bAiORnSmhrDVOGINoC7+8GfYm+3StPtoxr// uTT8BBVegCyeGIznaFHsTYEhcIqGmWNqK2JwrZa83U+/Q2tpYi9K+t8+sagltMlzuq7WS3FG30w WxtwL5TETmm//TMrIgt0ELZ70rR3YZxMPSuhLeS7IJ0+1MKFfszR+NQbzpU3kk7HYKFucTAiwKE iQ8dEOQBj68xB2azcvsgau8zufNhr460qW4YD1Ekf6et1HTZOI4HSG85zIqHJEKdRRyoewO+xRx yS352rOSFdjOX+mYyHj2n01bh+9w015RDskxs9yG3vbg+Ut+JwDi7uXsf9UX6KlQnzDLQ+9PBiV zihIOIJNM= X-Google-Smtp-Source: AGHT+IHIQBgfqPsRkpT6qtQ1OG0YOGGqXfpc8CHkxm2J5FAhrYupELt5BnzYOvSAZV9Q7xm0BcMg/w== X-Received: by 2002:a17:902:dac3:b0:299:e031:16d with SMTP id d9443c01a7336-29bab148c3emr26850635ad.33.1764068643530; Tue, 25 Nov 2025 03:04:03 -0800 (PST) Received: from hsukr3.. ([2405:201:d019:4042:c1a3:cd97:974e:2371]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29b5b29b1c2sm162491665ad.81.2025.11.25.03.04.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 03:04:03 -0800 (PST) From: Sukrut Heroorkar To: Jan Kara , linux-kernel@vger.kernel.org (open list) Cc: shuah@kernel.org, david.hunter.linux@gmail.com, Jan Kara , syzbot+3ff7365dc04a6bcafa66@syzkaller.appspotmail.com, syzbot+72f20dcde8dd7e4a788a@syzkaller.appspotmail.com, Sukrut Heroorkar Subject: [PATCH 6.1.y 2/2] udf: Verify inode link counts before performing rename Date: Tue, 25 Nov 2025 16:33:28 +0530 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jan Kara [ Upstream commit 6756af923e06aa33ad8894aaecbf9060953ba00f ] During rename, we are updating link counts of various inodes either when rename deletes target or when moving directory across directories. Verify involved link counts are sane so that we don't trip warnings in VFS. Reported-by: syzbot+3ff7365dc04a6bcafa66@syzkaller.appspotmail.com Signed-off-by: Jan Kara Tested-by: syzbot+72f20dcde8dd7e4a788a@syzkaller.appspotmail.com Signed-off-by: Sukrut Heroorkar --- fs/udf/namei.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/udf/namei.c b/fs/udf/namei.c index adee216c6769..5bf074c56cde 100644 --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -773,8 +773,18 @@ static int udf_rename(struct user_namespace *mnt_usern= s, struct inode *old_dir, retval =3D -ENOTEMPTY; if (!empty_dir(new_inode)) goto out_oiter; + retval =3D -EFSCORRUPTED; + if (new_inode->i_nlink !=3D 2) + goto out_oiter; } + retval =3D -EFSCORRUPTED; + if (old_dir->i_nlink < 3) + goto out_oiter; is_dir =3D true; + } else if (new_inode) { + retval =3D -EFSCORRUPTED; + if (new_inode->i_nlink < 1) + goto out_oiter; } if (is_dir && old_dir !=3D new_dir) { retval =3D udf_fiiter_find_entry(old_inode, &dotdot_name, --=20 2.43.0