[PATCH 6.1 06/19] udf: Convert udf_rename() to new directory iteration code

Linux kernel -stable discussions
 help / color / mirror / Atom feed

From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
To: stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>,
	kernel-dev@igalia.com,
	syzbot+0eaad3590d65102b9391@syzkaller.appspotmail.com,
	syzbot+b7fc73213bc2361ab650@syzkaller.appspotmail.com,
	Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Subject: [PATCH 6.1 06/19] udf: Convert udf_rename() to new directory iteration code
Date: Thu, 17 Oct 2024 14:19:02 -0300	[thread overview]
Message-ID: <20241017171915.311132-7-cascardo@igalia.com> (raw)
In-Reply-To: <20241017171915.311132-1-cascardo@igalia.com>

From: Jan Kara <jack@suse.cz>

[ Upstream commit e9109a92d2a95889498bed3719cd2318892171a2 ]

Convert udf_rename() to use new directory iteration code.

Reported-by: syzbot+0eaad3590d65102b9391@syzkaller.appspotmail.com
Reported-by: syzbot+b7fc73213bc2361ab650@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
[cascardo: remove the call to udf_rename_tag per commit
 27ab33854873 ("udf: Fix bogus checksum computation in udf_rename()")]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
---
 fs/udf/namei.c | 162 +++++++++++++++++++++++--------------------------
 1 file changed, 76 insertions(+), 86 deletions(-)

diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index f9e7fe80a066..1f8c91e953bb 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -1238,78 +1238,68 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
 {
 	struct inode *old_inode = d_inode(old_dentry);
 	struct inode *new_inode = d_inode(new_dentry);
-	struct udf_fileident_bh ofibh, nfibh;
-	struct fileIdentDesc *ofi = NULL, *nfi = NULL, *dir_fi = NULL;
-	struct fileIdentDesc ocfi, ncfi;
-	struct buffer_head *dir_bh = NULL;
-	int retval = -ENOENT;
+	struct udf_fileident_iter oiter, niter, diriter;
+	bool has_diriter = false;
+	int retval;
 	struct kernel_lb_addr tloc;
-	struct udf_inode_info *old_iinfo = UDF_I(old_inode);
 
 	if (flags & ~RENAME_NOREPLACE)
 		return -EINVAL;
 
-	ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
-	if (!ofi || IS_ERR(ofi)) {
-		if (IS_ERR(ofi))
-			retval = PTR_ERR(ofi);
-		goto end_rename;
-	}
-
-	if (ofibh.sbh != ofibh.ebh)
-		brelse(ofibh.ebh);
-
-	brelse(ofibh.sbh);
-	tloc = lelb_to_cpu(ocfi.icb.extLocation);
-	if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino)
-		goto end_rename;
+	retval = udf_fiiter_find_entry(old_dir, &old_dentry->d_name, &oiter);
+	if (retval)
+		return retval;
 
-	nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi);
-	if (IS_ERR(nfi)) {
-		retval = PTR_ERR(nfi);
-		goto end_rename;
-	}
-	if (nfi && !new_inode) {
-		if (nfibh.sbh != nfibh.ebh)
-			brelse(nfibh.ebh);
-		brelse(nfibh.sbh);
-		nfi = NULL;
+	tloc = lelb_to_cpu(oiter.fi.icb.extLocation);
+	if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino) {
+		retval = -ENOENT;
+		goto out_oiter;
 	}
-	if (S_ISDIR(old_inode->i_mode)) {
-		int offset = udf_ext0_offset(old_inode);
 
+	if (S_ISDIR(old_inode->i_mode)) {
 		if (new_inode) {
 			retval = -ENOTEMPTY;
 			if (!empty_dir(new_inode))
-				goto end_rename;
+				goto out_oiter;
 		}
-		retval = -EIO;
-		if (old_iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
-			dir_fi = udf_get_fileident(
-					old_iinfo->i_data -
-					  (old_iinfo->i_efe ?
-					   sizeof(struct extendedFileEntry) :
-					   sizeof(struct fileEntry)),
-					old_inode->i_sb->s_blocksize, &offset);
-		} else {
-			dir_bh = udf_bread(old_inode, 0, 0, &retval);
-			if (!dir_bh)
-				goto end_rename;
-			dir_fi = udf_get_fileident(dir_bh->b_data,
-					old_inode->i_sb->s_blocksize, &offset);
+		retval = udf_fiiter_find_entry(old_inode, &dotdot_name,
+					       &diriter);
+		if (retval == -ENOENT) {
+			udf_err(old_inode->i_sb,
+				"directory (ino %lu) has no '..' entry\n",
+				old_inode->i_ino);
+			retval = -EFSCORRUPTED;
 		}
-		if (!dir_fi)
-			goto end_rename;
-		tloc = lelb_to_cpu(dir_fi->icb.extLocation);
+		if (retval)
+			goto out_oiter;
+		has_diriter = true;
+		tloc = lelb_to_cpu(diriter.fi.icb.extLocation);
 		if (udf_get_lb_pblock(old_inode->i_sb, &tloc, 0) !=
-				old_dir->i_ino)
-			goto end_rename;
+				old_dir->i_ino) {
+			retval = -EFSCORRUPTED;
+			udf_err(old_inode->i_sb,
+				"directory (ino %lu) has parent entry pointing to another inode (%lu != %u)\n",
+				old_inode->i_ino, old_dir->i_ino,
+				udf_get_lb_pblock(old_inode->i_sb, &tloc, 0));
+			goto out_oiter;
+		}
+	}
+
+	retval = udf_fiiter_find_entry(new_dir, &new_dentry->d_name, &niter);
+	if (retval && retval != -ENOENT)
+		goto out_oiter;
+	/* Entry found but not passed by VFS? */
+	if (!retval && !new_inode) {
+		retval = -EFSCORRUPTED;
+		udf_fiiter_release(&niter);
+		goto out_oiter;
 	}
-	if (!nfi) {
-		nfi = udf_add_entry(new_dir, new_dentry, &nfibh, &ncfi,
-				    &retval);
-		if (!nfi)
-			goto end_rename;
+	/* Entry not found? Need to add one... */
+	if (retval) {
+		udf_fiiter_release(&niter);
+		retval = udf_fiiter_add_entry(new_dir, new_dentry, &niter);
+		if (retval)
+			goto out_oiter;
 	}
 
 	/*
@@ -1322,14 +1312,26 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
 	/*
 	 * ok, that's it
 	 */
-	ncfi.fileVersionNum = ocfi.fileVersionNum;
-	ncfi.fileCharacteristics = ocfi.fileCharacteristics;
-	memcpy(&(ncfi.icb), &(ocfi.icb), sizeof(ocfi.icb));
-	udf_write_fi(new_dir, &ncfi, nfi, &nfibh, NULL, NULL);
+	niter.fi.fileVersionNum = oiter.fi.fileVersionNum;
+	niter.fi.fileCharacteristics = oiter.fi.fileCharacteristics;
+	memcpy(&(niter.fi.icb), &(oiter.fi.icb), sizeof(oiter.fi.icb));
+	udf_fiiter_write_fi(&niter, NULL);
+	udf_fiiter_release(&niter);
 
-	/* The old fid may have moved - find it again */
-	ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
-	udf_delete_entry(old_dir, ofi, &ofibh, &ocfi);
+	/*
+	 * The old entry may have moved due to new entry allocation. Find it
+	 * again.
+	 */
+	udf_fiiter_release(&oiter);
+	retval = udf_fiiter_find_entry(old_dir, &old_dentry->d_name, &oiter);
+	if (retval) {
+		udf_err(old_dir->i_sb,
+			"failed to find renamed entry again in directory (ino %lu)\n",
+			old_dir->i_ino);
+	} else {
+		udf_fiiter_delete_entry(&oiter);
+		udf_fiiter_release(&oiter);
+	}
 
 	if (new_inode) {
 		new_inode->i_ctime = current_time(new_inode);
@@ -1340,12 +1342,11 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
 	mark_inode_dirty(old_dir);
 	mark_inode_dirty(new_dir);
 
-	if (dir_fi) {
-		dir_fi->icb.extLocation = cpu_to_lelb(UDF_I(new_dir)->i_location);
-		if (old_iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB)
-			mark_inode_dirty(old_inode);
-		else
-			mark_buffer_dirty_inode(dir_bh, old_inode);
+	if (has_diriter) {
+		diriter.fi.icb.extLocation =
+					cpu_to_lelb(UDF_I(new_dir)->i_location);
+		udf_fiiter_write_fi(&diriter, NULL);
+		udf_fiiter_release(&diriter);
 
 		inode_dec_link_count(old_dir);
 		if (new_inode)
@@ -1355,22 +1356,11 @@ static int udf_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
 			mark_inode_dirty(new_dir);
 		}
 	}
-
-	if (ofi) {
-		if (ofibh.sbh != ofibh.ebh)
-			brelse(ofibh.ebh);
-		brelse(ofibh.sbh);
-	}
-
-	retval = 0;
-
-end_rename:
-	brelse(dir_bh);
-	if (nfi) {
-		if (nfibh.sbh != nfibh.ebh)
-			brelse(nfibh.ebh);
-		brelse(nfibh.sbh);
-	}
+	return 0;
+out_oiter:
+	if (has_diriter)
+		udf_fiiter_release(&diriter);
+	udf_fiiter_release(&oiter);
 
 	return retval;
 }
-- 
2.34.1

next prev parent reply	other threads:[~2024-10-17 17:19 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-17 17:18 [PATCH 6.1 00/19] Fix NULL pointer dereference for corrupted UDF filesystems Thadeu Lima de Souza Cascardo
2024-10-17 17:18 ` [PATCH 6.1 01/19] udf: New directory iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:18 ` [PATCH 6.1 02/19] udf: Convert udf_expand_dir_adinicb() to new directory iteration Thadeu Lima de Souza Cascardo
2024-10-17 17:18 ` [PATCH 6.1 03/19] udf: Move udf_expand_dir_adinicb() to its callsite Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 04/19] udf: Implement searching for directory entry using new iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 05/19] udf: Provide function to mark entry as deleted using new directory " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` Thadeu Lima de Souza Cascardo [this message]
2024-10-17 17:19 ` [PATCH 6.1 07/19] udf: Convert udf_readdir() to new directory iteration Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 08/19] udf: Convert udf_lookup() to use new directory iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 09/19] udf: Convert udf_get_parent() to " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 10/19] udf: Convert empty_dir() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 11/19] udf: Convert udf_rmdir() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 12/19] udf: Convert udf_unlink() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 13/19] udf: Implement adding of dir entries using new " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 14/19] udf: Convert udf_add_nondir() to new directory iteration Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 15/19] udf: Convert udf_mkdir() to new directory iteration code Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 16/19] udf: Convert udf_link() " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 17/19] udf: Remove old " Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 18/19] udf: Handle error when expanding directory Thadeu Lima de Souza Cascardo
2024-10-17 17:19 ` [PATCH 6.1 19/19] udf: Don't return bh from udf_expand_dir_adinicb() Thadeu Lima de Souza Cascardo
2024-10-18  6:41 ` [PATCH 6.1 00/19] Fix NULL pointer dereference for corrupted UDF filesystems Greg KH

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f9e7fe80a06 dfblob:1f8c91e953b )
 OR (
bs:"[PATCH 6.1 06/19] udf: Convert udf_rename() to new directory iteration code" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241017171915.311132-7-cascardo@igalia.com \
    --to=cascardo@igalia.com \
    --cc=jack@suse.cz \
    --cc=kernel-dev@igalia.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+0eaad3590d65102b9391@syzkaller.appspotmail.com \
    --cc=syzbot+b7fc73213bc2361ab650@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox