* [PATCH] fs: minix: Fix handling of corrupted directories
@ 2025-05-02 16:43 Andrey Kriulin
2025-05-05 10:15 ` Jan Kara
0 siblings, 1 reply; 6+ messages in thread
From: Andrey Kriulin @ 2025-05-02 16:43 UTC (permalink / raw)
To: Christian Brauner
Cc: Andrey Kriulin, Matthew Wilcox (Oracle), Josef Bacik, NeilBrown,
Jan Kara, linux-kernel, stable
If the directory is corrupted and the number of nlinks is less than 2
(valid nlinks have at least 2), then when the directory is deleted, the
minix_rmdir will try to reduce the nlinks(unsigned int) to a negative
value.
Make nlinks validity check for directory in minix_lookup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Kriulin <kitotavrik.media@gmail.com>
---
fs/minix/namei.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8..5717a56fa 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -28,8 +28,13 @@ static struct dentry *minix_lookup(struct inode * dir, struct dentry *dentry, un
return ERR_PTR(-ENAMETOOLONG);
ino = minix_inode_by_name(dentry);
- if (ino)
+ if (ino) {
inode = minix_iget(dir->i_sb, ino);
+ if (S_ISDIR(inode->i_mode) && inode->i_nlink < 2) {
+ iput(inode);
+ return ERR_PTR(-EIO);
+ }
+ }
return d_splice_alias(inode, dentry);
}
--
2.47.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] fs: minix: Fix handling of corrupted directories
@ 2025-05-02 16:50 Andrey Kriulin
2025-05-02 17:13 ` Al Viro
2025-05-02 17:27 ` Matthew Wilcox
0 siblings, 2 replies; 6+ messages in thread
From: Andrey Kriulin @ 2025-05-02 16:50 UTC (permalink / raw)
To: Christian Brauner
Cc: Andrey Kriulin, Matthew Wilcox (Oracle), Josef Bacik, NeilBrown,
Jan Kara, linux-kernel, lvc-project, stable
If the directory is corrupted and the number of nlinks is less than 2
(valid nlinks have at least 2), then when the directory is deleted, the
minix_rmdir will try to reduce the nlinks(unsigned int) to a negative
value.
Make nlinks validity check for directory in minix_lookup.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Kriulin <kitotavrik.media@gmail.com>
---
fs/minix/namei.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/minix/namei.c b/fs/minix/namei.c
index 8938536d8..5717a56fa 100644
--- a/fs/minix/namei.c
+++ b/fs/minix/namei.c
@@ -28,8 +28,13 @@ static struct dentry *minix_lookup(struct inode * dir, struct dentry *dentry, un
return ERR_PTR(-ENAMETOOLONG);
ino = minix_inode_by_name(dentry);
- if (ino)
+ if (ino) {
inode = minix_iget(dir->i_sb, ino);
+ if (S_ISDIR(inode->i_mode) && inode->i_nlink < 2) {
+ iput(inode);
+ return ERR_PTR(-EIO);
+ }
+ }
return d_splice_alias(inode, dentry);
}
--
2.47.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] fs: minix: Fix handling of corrupted directories
2025-05-02 16:50 [PATCH] fs: minix: Fix handling of corrupted directories Andrey Kriulin
@ 2025-05-02 17:13 ` Al Viro
2025-05-02 17:27 ` Matthew Wilcox
1 sibling, 0 replies; 6+ messages in thread
From: Al Viro @ 2025-05-02 17:13 UTC (permalink / raw)
To: Andrey Kriulin
Cc: Christian Brauner, Andrey Kriulin, Matthew Wilcox (Oracle),
Josef Bacik, NeilBrown, Jan Kara, linux-kernel, lvc-project,
stable
On Fri, May 02, 2025 at 07:50:57PM +0300, Andrey Kriulin wrote:
> If the directory is corrupted and the number of nlinks is less than 2
> (valid nlinks have at least 2), then when the directory is deleted, the
> minix_rmdir will try to reduce the nlinks(unsigned int) to a negative
> value.
>
> Make nlinks validity check for directory in minix_lookup.
Not sure it's a good mitigation strategy - if nothing else, doing that
on r/o filesystem is clear loss...
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] fs: minix: Fix handling of corrupted directories
2025-05-02 16:50 [PATCH] fs: minix: Fix handling of corrupted directories Andrey Kriulin
2025-05-02 17:13 ` Al Viro
@ 2025-05-02 17:27 ` Matthew Wilcox
2025-05-05 10:19 ` Jan Kara
1 sibling, 1 reply; 6+ messages in thread
From: Matthew Wilcox @ 2025-05-02 17:27 UTC (permalink / raw)
To: Andrey Kriulin
Cc: Christian Brauner, Andrey Kriulin, Josef Bacik, NeilBrown,
Jan Kara, linux-kernel, lvc-project, stable
On Fri, May 02, 2025 at 07:50:57PM +0300, Andrey Kriulin wrote:
> If the directory is corrupted and the number of nlinks is less than 2
... so should it be EIO or EFSCORRUPTED?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] fs: minix: Fix handling of corrupted directories
2025-05-02 16:43 Andrey Kriulin
@ 2025-05-05 10:15 ` Jan Kara
0 siblings, 0 replies; 6+ messages in thread
From: Jan Kara @ 2025-05-05 10:15 UTC (permalink / raw)
To: Andrey Kriulin
Cc: Christian Brauner, Andrey Kriulin, Matthew Wilcox (Oracle),
Josef Bacik, NeilBrown, Jan Kara, linux-kernel, stable
On Fri 02-05-25 19:43:36, Andrey Kriulin wrote:
> If the directory is corrupted and the number of nlinks is less than 2
> (valid nlinks have at least 2), then when the directory is deleted, the
> minix_rmdir will try to reduce the nlinks(unsigned int) to a negative
> value.
>
> Make nlinks validity check for directory in minix_lookup.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Andrey Kriulin <kitotavrik.media@gmail.com>
Thanks for the patch. One comment below.
> diff --git a/fs/minix/namei.c b/fs/minix/namei.c
> index 8938536d8..5717a56fa 100644
> --- a/fs/minix/namei.c
> +++ b/fs/minix/namei.c
> @@ -28,8 +28,13 @@ static struct dentry *minix_lookup(struct inode * dir, struct dentry *dentry, un
> return ERR_PTR(-ENAMETOOLONG);
>
> ino = minix_inode_by_name(dentry);
> - if (ino)
> + if (ino) {
> inode = minix_iget(dir->i_sb, ino);
> + if (S_ISDIR(inode->i_mode) && inode->i_nlink < 2) {
> + iput(inode);
> + return ERR_PTR(-EIO);
> + }
> + }
> return d_splice_alias(inode, dentry);
> }
I don't think this is the best place to handle such check. IMO it would be
more logical to do it in minix_iget() - V[12]_minix_iget() to be more
precise - to properly catch all the paths where the inode is loaded into
memory. This way your check will not happen for the root directory inode
for example.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] fs: minix: Fix handling of corrupted directories
2025-05-02 17:27 ` Matthew Wilcox
@ 2025-05-05 10:19 ` Jan Kara
0 siblings, 0 replies; 6+ messages in thread
From: Jan Kara @ 2025-05-05 10:19 UTC (permalink / raw)
To: Matthew Wilcox
Cc: Andrey Kriulin, Christian Brauner, Andrey Kriulin, Josef Bacik,
NeilBrown, Jan Kara, linux-kernel, lvc-project, stable
On Fri 02-05-25 18:27:08, Matthew Wilcox wrote:
> On Fri, May 02, 2025 at 07:50:57PM +0300, Andrey Kriulin wrote:
> > If the directory is corrupted and the number of nlinks is less than 2
>
> ... so should it be EIO or EFSCORRUPTED?
Well, EFSCORRUPTED is an internal define (to EUCLEAN) local to several
filesystems. So we'd need to lift that define to a generic code first.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-05-05 10:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-05-02 16:50 [PATCH] fs: minix: Fix handling of corrupted directories Andrey Kriulin
2025-05-02 17:13 ` Al Viro
2025-05-02 17:27 ` Matthew Wilcox
2025-05-05 10:19 ` Jan Kara
-- strict thread matches above, loose matches on Subject: below --
2025-05-02 16:43 Andrey Kriulin
2025-05-05 10:15 ` Jan Kara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox