From: Al Viro <viro@zeniv.linux.org.uk>
To: Edward Adam Davis <eadavis@qq.com>
Cc: syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com,
brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] fs: Additional checks on new and old dir
Date: Fri, 16 May 2025 20:31:22 +0100 [thread overview]
Message-ID: <20250516193122.GS2023217@ZenIV> (raw)
In-Reply-To: <tencent_55ACA45C1762977206C3B376C36BA96B8305@qq.com>
On Wed, May 14, 2025 at 06:39:40AM +0800, Edward Adam Davis wrote:
> In the reproducer, when calling renameat2(), olddirfd and newdirfd passed
> are the same value r0, see [1]. This situation should be avoided.
>
> [1]
> renameat2(r0, &(0x7f0000000240)='./bus/file0\x00', r0, &(0x7f00000001c0)='./file0\x00', 0x0)
>
> Reported-by: syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=321477fad98ea6dd35b7
> Tested-by: syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> fs/namei.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 84a0e0b0111c..ff843007ca94 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -5013,7 +5013,7 @@ int vfs_rename(struct renamedata *rd)
> struct name_snapshot old_name;
> bool lock_old_subdir, lock_new_subdir;
>
> - if (source == target)
> + if (source == target || old_dir == target)
> return 0;
What the hell?
1) olddirfd and newdirfd have nothing to do with vfs_rename() - they are
bloody well gone by the time we get there.
2) there's nothing wrong with having the same value passed in both -
and it's certainly not a "quietly do nothing".
3) the check added in this patch is... odd. You are checking essentically
for rename("foo/bar", "foo"). It should fail (-ENOTEMPTY or -EINVAL, depending
upon RENAME_EXCHANGE in flags) without having reached vfs_rename().
next prev parent reply other threads:[~2025-05-16 19:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-22 21:28 [syzbot] [fs?] INFO: task hung in vfs_rename (2) syzbot
2025-04-23 11:35 ` Jan Kara
2025-05-13 12:00 ` Edward Adam Davis
2025-05-13 16:15 ` syzbot
2025-05-13 22:39 ` [PATCH] fs: Additional checks on new and old dir Edward Adam Davis
2025-05-16 19:31 ` Al Viro [this message]
2025-05-16 23:20 ` [pox on syzbot - again][exfat] exfat_mkdir() breakage on corrupted image Al Viro
2025-05-20 17:17 ` Aleksandr Nogikh
2025-07-22 17:51 ` [syzbot] [fs?] INFO: task hung in vfs_rename (2) Kent Overstreet
2025-07-23 8:38 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250516193122.GS2023217@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=eadavis@qq.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.