| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_C2474B031BD225AABA42BB7D33FC9E861B08@qq.com>
Date: Sun, 24 Nov 2024 22:38:23 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+028180f480a74961919c@...kaller.appspotmail.com
Cc: linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [hfs?] WARNING in hfsplus_unlink
After the rename syscall fails, the unlink syscall triggers a warning in
drop_nlink() because the i_nlink value is 0.
When unlink succeeds but rename_cat fails in rename, the i_nlink and flags
values of the inode of the new dentry should be restored.
#syz test
diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
index f5c4b3e31a1c..b489d22409e7 100644
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -534,7 +534,7 @@ static int hfsplus_rename(struct mnt_idmap *idmap,
struct inode *new_dir, struct dentry *new_dentry,
unsigned int flags)
{
- int res;
+ int res, unlinked_new = 0;
if (flags & ~RENAME_NOREPLACE)
return -EINVAL;
@@ -543,8 +543,10 @@ static int hfsplus_rename(struct mnt_idmap *idmap,
if (d_really_is_positive(new_dentry)) {
if (d_is_dir(new_dentry))
res = hfsplus_rmdir(new_dir, new_dentry);
- else
+ else {
res = hfsplus_unlink(new_dir, new_dentry);
+ unlinked_new = res == 0 && d_inode(new_dentry)->i_flags & S_DEAD;
+ }
if (res)
return res;
}
@@ -554,6 +556,12 @@ static int hfsplus_rename(struct mnt_idmap *idmap,
new_dir, &new_dentry->d_name);
if (!res)
new_dentry->d_fsdata = old_dentry->d_fsdata;
+ else if (unlinked_new) {
+ struct inode *inode = d_inode(new_dentry);
+ set_nlink(inode, inode->i_nlink + 1);
+ inode->i_flags &= ~S_DEAD;
+ }
+
return res;
}
Powered by blists - more mailing lists