From nobody Tue Dec 2 00:02:04 2025 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B593226C3B0 for ; Tue, 25 Nov 2025 11:03:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764068641; cv=none; b=BhxDr5e7ksfmXPoK5TJ/hv8crbhSuGq1YavrnG6p5T2/bykSHNVokYxYbVva/9s9LYS0OUvmQC4uxEbyn6Xg/L9MigJD0Oq0fU6YePfeLl6GSw0SRN6S3h3bbRkYnjiQ4otkFrFCiWyHRO5Rl3XtHmlFyjdYWtDYhTmYoEsoBDA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764068641; c=relaxed/simple; bh=/e3/bzOl/hG2fvjHqyJwQNkSWUvwjYRYjxOQG/377S8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lvyfJ9+XAiIXk6vOFPvsJMS3uONXh3pGkPYR8uHblGn6GH+MoXSZCbv9/YWK8dffGdPM+Ymk8nDu/kJqUXWTdTar3igYVMmRUQ4wMTaMdHvDmqm8yWL5W5wNuwEf2bK11HoHhkcz1Pluh3zhX/f/O8Vn3kDS6SaNweQ4vwPn9As= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SFUkyQ9U; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SFUkyQ9U" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-29806bd47b5so32681155ad.3 for ; Tue, 25 Nov 2025 03:03:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764068639; x=1764673439; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=sUyFX4n5R+sWYrLZ9NO3o8yJlWR0gA2nsHFM6Pi3yak=; b=SFUkyQ9USpc/0C9EcRij3yOg/xZiE6jDSJudZhnsedLsl6Rs/9jK83J4iQF/agjZKb p7d4FMVlDWUe60DhFzVS37GrT4VCt1k2MaGw8jU0rQ6RP2Ilk57K1XH8dQW8Hjog80Df vnE717L12/L3fqACwHo2BuWIiUEluPBkhNpQxUBeUyWa1WGR268m5k1S92tcZimSyRXF z9RiIQ8ggmwfI375nvhPN/JwwVbeLMyoflBPUCuu7GfY7UQZBSqpUSYa/vmxqO7bnViz keJpiONi6FJrA4leVvJVvwaQPZs0z1QGsce/OtNQGIZRp+CVLd8J9HUV9eBU/tu9YFys at2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764068639; x=1764673439; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=sUyFX4n5R+sWYrLZ9NO3o8yJlWR0gA2nsHFM6Pi3yak=; b=Awc8dJ4xUVwHJQ25Y2mRDOVt4O+hzWU8gm41wZSBJWNgP5IjOwG9Yqn/YlsoSKbb4o /iv5E103Zzrocj1BxzXTOGxUgIcQYMPkZNm0tMnsFKZWg0KjxVJQfiIvO1Jjsj4kfdZ2 gjOuUYy4ip2GiKa2Ho4vl7tzLNsPAcqJfGDxbSrnB1hFfPBfrLvUutlKU0lbE1GDpCpI 4hLhT8r0wiFYiz8aIr38qC1HOHzwlzvU8rX2dL8++qDOq5zUhghurFg0Gj9ojwXY+TQq LJGk2FnjvCaHwD8+qMsBCZwSII2CwJArWJ8K3+/tiZESxaE11DQceqnCj3xQ+9BVAwqC gyDw== X-Forwarded-Encrypted: i=1; AJvYcCUPLSx84RcYK+H8S1c9CMYMjILz11bN9//oEPs2eTN5PeEultHi8SWTvs8oRpbJ4JVmO0QXvXzpod6pRa8=@vger.kernel.org X-Gm-Message-State: AOJu0YwMik8PWv7e2SmvJTKxQu6I9I95DYXuuDB2tSOS70xK9ILdZlGj 5WEQuXkhvsLiFmzd+8duT8zh5AhuJ44bS8jhN7NWnAlXl+y031CURrUIjfIk1ub7QWA= X-Gm-Gg: ASbGnct45rnq0PZDmaKhcRhDOwHV+E7V4iqTHNp/rX96fCJagVz2BzOnCdEkW3Jp875 c1WPaUgeQLLamwMuYIlw2DoazgMugZrqcveFzlnODKiFdCd+B4uN+Zqz+Zn2nacJyzsUDZF6/F0 viNnOftbegwTlP0U8BFm7t6RpsvyV5MvbKDjTlfep/BzFTsVDeVhd+Svc09W40r2JfnAfyecK6Y 2Yd8N7eIxVAKE8Sdb8FX4bgtv9KGSilMfcU8p2xQ5SSSrEx4dMQouys/bBCGP7sr8S8K8O1zxt4 8n9eg8vLK3jR/D/eIS7RUQ1tKii2M/llI/LFXVNSXc9eug1kHRM3p2L8sobca81kumswA8uiSab tQ1l91euyCKsp/WgGw3cQoxmQISUfTGczHtM0FM9HYiiR5EvBB913+mtBjmtUh9mv51kb X-Google-Smtp-Source: AGHT+IGKwoAIpTyoNZtyFKR+h1N3L+qOjBef3yrIz71oiUDBQal2O+xFnif9RFB1yVx4rtY7ADCWxQ== X-Received: by 2002:a17:902:d4ca:b0:294:f6e2:cea1 with SMTP id d9443c01a7336-29b6c571f11mr168558695ad.38.1764068638763; Tue, 25 Nov 2025 03:03:58 -0800 (PST) Received: from hsukr3.. ([2405:201:d019:4042:c1a3:cd97:974e:2371]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29b5b29b1c2sm162491665ad.81.2025.11.25.03.03.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 03:03:58 -0800 (PST) From: Sukrut Heroorkar To: Jan Kara , linux-kernel@vger.kernel.org (open list) Cc: shuah@kernel.org, david.hunter.linux@gmail.com, Al Viro , Jan Kara , Sukrut Heroorkar Subject: [PATCH 6.1.y 1/2] udf_rename(): only access the child content on cross-directory rename Date: Tue, 25 Nov 2025 16:33:27 +0530 Message-ID: <5758e285ed31a030f88f1f6f5a57d95f0b3ac974.1763999341.git.hsukrut3@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Al Viro [ Upstream commit 9d35cebb794bb7be93db76c3383979c7deacfef9 ] We can't really afford locking the source on same-directory rename; currently vfs_rename() tries to do that, but it will have to be changed. The logics in udf_rename() is lazy and goes looking for ".." in source even in same-directory case. It's not hard to get rid of that, leaving that behaviour only for cross-directory case; that VFS can get locks safely (and will keep doing that after the coming changes). Reviewed-by: Jan Kara Signed-off-by: Al Viro Stable-dep-of: 6756af923e06 ("udf: Verify inode link counts before performi= ng rename") Signed-off-by: Sukrut Heroorkar --- fs/udf/namei.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/udf/namei.c b/fs/udf/namei.c index 29ab5f80dd41..adee216c6769 100644 --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -751,7 +751,7 @@ static int udf_rename(struct user_namespace *mnt_userns= , struct inode *old_dir, struct inode *old_inode =3D d_inode(old_dentry); struct inode *new_inode =3D d_inode(new_dentry); struct udf_fileident_iter oiter, niter, diriter; - bool has_diriter =3D false; + bool has_diriter =3D false, is_dir =3D false; int retval; struct kernel_lb_addr tloc; =20 @@ -774,6 +774,9 @@ static int udf_rename(struct user_namespace *mnt_userns= , struct inode *old_dir, if (!empty_dir(new_inode)) goto out_oiter; } + is_dir =3D true; + } + if (is_dir && old_dir !=3D new_dir) { retval =3D udf_fiiter_find_entry(old_inode, &dotdot_name, &diriter); if (retval =3D=3D -ENOENT) { @@ -859,7 +862,9 @@ static int udf_rename(struct user_namespace *mnt_userns= , struct inode *old_dir, cpu_to_lelb(UDF_I(new_dir)->i_location); udf_fiiter_write_fi(&diriter, NULL); udf_fiiter_release(&diriter); + } =20 + if (is_dir) { inode_dec_link_count(old_dir); if (new_inode) inode_dec_link_count(new_inode); --=20 2.43.0 From nobody Tue Dec 2 00:02:04 2025 Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66B6E3161B8 for ; Tue, 25 Nov 2025 11:04:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764068647; cv=none; b=gDoVmu9TqUeiT/ZB1sNtG0ePU//mRVsKbPuTB1HpnnqxKfA0TOxE9SprpNQVYitPg7SBTuXQeI6L7lZb2qBoMDyAtsDpChTBD0/nucxABbA7RVqmAQdHYHHmhhzMWRo609CqKnf9IanK+uM4EAk6lQNQF5TroD1h0q18/ZYz0X4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764068647; c=relaxed/simple; bh=DqiP0nI4hpJzScjnN8dDYEbW0vfjGJ9slxWL7nnQJsk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UICD2a/K6aCihc0uMwmJ80Ao+3RwZHdRuVVkUcOV5Iz/nqUjYwcNhpxUrcGZDsUvTKkB2vKFyn/4pU3qtAtu6En6fFFYt4NYTt0kRIBqElKxRtfcZ1oHPB5dWXAPufs+K0HVgk8ZlYSK4cYHN+MlvKY4jk6Oxcts7Vyp0NwL6kQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nHKwnKp3; arc=none smtp.client-ip=209.85.214.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nHKwnKp3" Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-298145fe27eso84347945ad.1 for ; Tue, 25 Nov 2025 03:04:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764068644; x=1764673444; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1RfJ8pHYkiapmvTEdtwB8y3M8ZNQzNCtg8sYxHG6V+s=; b=nHKwnKp3uPmE39V3W5BlUscPNL3C8G7oSLDsfF0Qt7zCTcO2hShNmbWYs9iGU2FT6S Q/ndKkE6/iO+mV3YHpa9HzU1OA7bQef0wn2WkzT2nj2JU2PZp+H2lpeYliffOl5rURBF S3p/bwVPzMLso1MjfKUSzFxhCnczTYsretsHHrWvQoNZqLMeVBPRQnAKcvZ77iDJANzM T/WpjXfp1qO1Mf3DakP3zwQKfvYlj8ZrfI0rUeG2lOlLWx1mOnYmFrMaeJ2eA1ZHfsyC af/Y2AZ3anhgcsKDBwOWdY+u3/F4MEb/aTWT6B61DQ+3/S/I4GtOuHNfmhIFamUKqE8S WgXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764068644; x=1764673444; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=1RfJ8pHYkiapmvTEdtwB8y3M8ZNQzNCtg8sYxHG6V+s=; b=F6omxGB8g1Q3v80IRg5VBIC2Y5YbE3IgV/eU1UDLe93LF5MFKOO3WgAxsYovenD1An 6iXOiQB3CFM9ERG4UOP2MSidjgv+VAeKkspYSzMLi6urX1dYSiJJ//4CUo9yY5viIhh9 BKlVl14dJO/1Fgxf6AMkc+rrcH7ixoN1JglyKm89HtTg7VhzpUQxUTPQcOOcyC7sY7nX 5tdOCd2Q8S9MrUuIdj0VB9fdy2bGQ6v77ZWdq44laZNIA/zftqvSSmpzoalCyRMuFgzn 39N59UPmU5N173Wo0JfXdwlhVygnhrn+Fr36oObruQeCP9qo8ZxzgjuXTO3J4601AJk9 QZiw== X-Forwarded-Encrypted: i=1; AJvYcCXOo8fMS3eLQY2RKkJn8P3j6tIejiodeeTehGnQBSsbqBUYGC/Dv0fofzV6+ID3LAoCahR/W096v0uJFyE=@vger.kernel.org X-Gm-Message-State: AOJu0Yz4W/UK8HKhcXN+QAFQl91s4QszlSPX++KwDYG2icbiewZ36Sp4 S5/ltiXKIz9zo0Yt9j5b/vaAUfHgB3iXcjyURs3Lch61IfNaxQ64soAL/liyumSt6jk= X-Gm-Gg: ASbGncvjUHqDdEFHbdAyTJd2mgcf6x2Ot7mOuKyBToS0ZvGzt286JS9Sk2Ur5vUubRP CgWS1N/lao2lJSfTKfIXuMU8l2j/G7uoVBaKPl5bAiORnSmhrDVOGINoC7+8GfYm+3StPtoxr// uTT8BBVegCyeGIznaFHsTYEhcIqGmWNqK2JwrZa83U+/Q2tpYi9K+t8+sagltMlzuq7WS3FG30w WxtwL5TETmm//TMrIgt0ELZ70rR3YZxMPSuhLeS7IJ0+1MKFfszR+NQbzpU3kk7HYKFucTAiwKE iQ8dEOQBj68xB2azcvsgau8zufNhr460qW4YD1Ekf6et1HTZOI4HSG85zIqHJEKdRRyoewO+xRx yS352rOSFdjOX+mYyHj2n01bh+9w015RDskxs9yG3vbg+Ut+JwDi7uXsf9UX6KlQnzDLQ+9PBiV zihIOIJNM= X-Google-Smtp-Source: AGHT+IHIQBgfqPsRkpT6qtQ1OG0YOGGqXfpc8CHkxm2J5FAhrYupELt5BnzYOvSAZV9Q7xm0BcMg/w== X-Received: by 2002:a17:902:dac3:b0:299:e031:16d with SMTP id d9443c01a7336-29bab148c3emr26850635ad.33.1764068643530; Tue, 25 Nov 2025 03:04:03 -0800 (PST) Received: from hsukr3.. ([2405:201:d019:4042:c1a3:cd97:974e:2371]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-29b5b29b1c2sm162491665ad.81.2025.11.25.03.04.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 03:04:03 -0800 (PST) From: Sukrut Heroorkar To: Jan Kara , linux-kernel@vger.kernel.org (open list) Cc: shuah@kernel.org, david.hunter.linux@gmail.com, Jan Kara , syzbot+3ff7365dc04a6bcafa66@syzkaller.appspotmail.com, syzbot+72f20dcde8dd7e4a788a@syzkaller.appspotmail.com, Sukrut Heroorkar Subject: [PATCH 6.1.y 2/2] udf: Verify inode link counts before performing rename Date: Tue, 25 Nov 2025 16:33:28 +0530 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jan Kara [ Upstream commit 6756af923e06aa33ad8894aaecbf9060953ba00f ] During rename, we are updating link counts of various inodes either when rename deletes target or when moving directory across directories. Verify involved link counts are sane so that we don't trip warnings in VFS. Reported-by: syzbot+3ff7365dc04a6bcafa66@syzkaller.appspotmail.com Signed-off-by: Jan Kara Tested-by: syzbot+72f20dcde8dd7e4a788a@syzkaller.appspotmail.com Signed-off-by: Sukrut Heroorkar --- fs/udf/namei.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/udf/namei.c b/fs/udf/namei.c index adee216c6769..5bf074c56cde 100644 --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -773,8 +773,18 @@ static int udf_rename(struct user_namespace *mnt_usern= s, struct inode *old_dir, retval =3D -ENOTEMPTY; if (!empty_dir(new_inode)) goto out_oiter; + retval =3D -EFSCORRUPTED; + if (new_inode->i_nlink !=3D 2) + goto out_oiter; } + retval =3D -EFSCORRUPTED; + if (old_dir->i_nlink < 3) + goto out_oiter; is_dir =3D true; + } else if (new_inode) { + retval =3D -EFSCORRUPTED; + if (new_inode->i_nlink < 1) + goto out_oiter; } if (is_dir && old_dir !=3D new_dir) { retval =3D udf_fiiter_find_entry(old_inode, &dotdot_name, --=20 2.43.0