From: Al Viro <viro@zeniv.linux.org.uk>
To: Edward Adam Davis <eadavis@qq.com>
Cc: syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com,
brauner@kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] fs: Additional checks on new and old dir
Date: Fri, 16 May 2025 20:31:22 +0100 [thread overview]
Message-ID: <20250516193122.GS2023217@ZenIV> (raw)
In-Reply-To: <tencent_55ACA45C1762977206C3B376C36BA96B8305@qq.com>
On Wed, May 14, 2025 at 06:39:40AM +0800, Edward Adam Davis wrote:
> In the reproducer, when calling renameat2(), olddirfd and newdirfd passed
> are the same value r0, see [1]. This situation should be avoided.
>
> [1]
> renameat2(r0, &(0x7f0000000240)='./bus/file0\x00', r0, &(0x7f00000001c0)='./file0\x00', 0x0)
>
> Reported-by: syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=321477fad98ea6dd35b7
> Tested-by: syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> fs/namei.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/namei.c b/fs/namei.c
> index 84a0e0b0111c..ff843007ca94 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -5013,7 +5013,7 @@ int vfs_rename(struct renamedata *rd)
> struct name_snapshot old_name;
> bool lock_old_subdir, lock_new_subdir;
>
> - if (source == target)
> + if (source == target || old_dir == target)
> return 0;
What the hell?
1) olddirfd and newdirfd have nothing to do with vfs_rename() - they are
bloody well gone by the time we get there.
2) there's nothing wrong with having the same value passed in both -
and it's certainly not a "quietly do nothing".
3) the check added in this patch is... odd. You are checking essentically
for rename("foo/bar", "foo"). It should fail (-ENOTEMPTY or -EINVAL, depending
upon RENAME_EXCHANGE in flags) without having reached vfs_rename().
next prev parent reply other threads:[~2025-05-16 19:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-22 21:28 [syzbot] [fs?] INFO: task hung in vfs_rename (2) syzbot
2025-04-23 11:35 ` Jan Kara
2025-05-13 22:39 ` [PATCH] fs: Additional checks on new and old dir Edward Adam Davis
2025-05-16 19:31 ` Al Viro [this message]
2025-05-16 23:20 ` [pox on syzbot - again][exfat] exfat_mkdir() breakage on corrupted image Al Viro
2025-05-20 17:17 ` Aleksandr Nogikh
2025-07-22 17:51 ` [syzbot] [fs?] INFO: task hung in vfs_rename (2) Kent Overstreet
2025-07-23 8:38 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250516193122.GS2023217@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=eadavis@qq.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+321477fad98ea6dd35b7@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).