[PATCH] udf: Prevent rmdir of deleted directories

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Leo Stone <leocstone@gmail.com>
To: syzbot+5df2d3fa14f2d3e49305@syzkaller.appspotmail.com, jack@suse.com
Cc: Leo Stone <leocstone@gmail.com>, linux-kernel@vger.kernel.org
Subject: [PATCH] udf: Prevent rmdir of deleted directories
Date: Sun,  1 Dec 2024 16:41:02 -0800	[thread overview]
Message-ID: <20241202004104.20604-2-leocstone@gmail.com> (raw)
In-Reply-To: <6747ce03.050a0220.253251.0066.GAE@google.com>

The syzbot reproducer mounts a UDF image with the undelete option
enabled. It then creates a directory, and eventually attempts to call
rmdir on it 65 times. Because the undelete option is set, the
directory still gets found in udf_fiiter_find_entry(), and the link
count of its parent directory is decremented until it triggers the
warning in drop_nlink().

Prevent directories with the FID_FILE_CHAR_DELETED flag set from being
deleted again.

#syz test

Reported-by: syzbot+5df2d3fa14f2d3e49305@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5df2d3fa14f2d3e49305
Signed-off-by: Leo Stone <leocstone@gmail.com>
---
 fs/udf/namei.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index 78a603129dd5..0a577b7459de 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -504,6 +504,12 @@ static int udf_rmdir(struct inode *dir, struct dentry *dentry)
 	if (ret)
 		goto out;
 
+	if (iter.fi.fileCharacteristics & FID_FILE_CHAR_DELETED) {
+		udf_warn(inode->i_sb,
+			 "tried to rmdir a directory that was already deleted\n");
+		ret = -ENOENT;
+		goto end_rmdir;
+	}
 	ret = -EFSCORRUPTED;
 	tloc = lelb_to_cpu(iter.fi.icb.extLocation);
 	if (udf_get_lb_pblock(dir->i_sb, &tloc, 0) != inode->i_ino)
-- 
2.43.0

next prev parent reply	other threads:[~2024-12-02  0:41 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-28  1:57 [syzbot] [udf?] WARNING in udf_rmdir (2) syzbot
2024-12-02  0:41 ` Leo Stone [this message]
2024-12-02  1:01   ` syzbot
2024-12-02 12:28   ` [PATCH] udf: Prevent rmdir of deleted directories Jan Kara
2025-01-15  3:53 ` [syzbot] [udf?] WARNING in udf_rmdir (2) syzbot
2025-01-16 10:29   ` Jan Kara

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:78a603129dd dfblob:0a577b7459d )
 OR (
bs:"[PATCH] udf: Prevent rmdir of deleted directories" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241202004104.20604-2-leocstone@gmail.com \
    --to=leocstone@gmail.com \
    --cc=jack@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+5df2d3fa14f2d3e49305@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.