lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87secph8yi.fsf@mail.parknet.co.jp>
Date: Thu, 01 Jan 2026 20:24:21 +0900
From: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
To: Andrew Morton <akpm@...ux-foundation.org>
Cc: Zhiyu Zhang <zhiyuzhang999@...il.com>, viro@...iv.linux.org.uk,
        brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fat: avoid parent link count underflow in rmdir

Zhiyu Zhang <zhiyuzhang999@...il.com> writes:

> Corrupted FAT images can leave a directory inode with an incorrect
> i_nlink (e.g. 2 even though subdirectories exist). rmdir then
> unconditionally calls drop_nlink(dir) and can drive i_nlink to 0,
> triggering the WARN_ON in drop_nlink().
>
> Add a sanity check in vfat_rmdir() and msdos_rmdir(): only drop the
> parent link count when it is at least 3, otherwise report a filesystem
> error.
>
> Fixes: 9a53c3a783c2 ("[PATCH] r/o bind mounts: unlink: monitor i_nlink")
> Reported-by: Zhiyu Zhang <zhiyuzhang999@...il.com>
> Closes: https://lore.kernel.org/linux-fsdevel/aVN06OKsKxZe6-Kv@casper.infradead.org/T/#t
> Tested-by: Zhiyu Zhang <zhiyuzhang999@...il.com>
> Signed-off-by: Zhiyu Zhang <zhiyuzhang999@...il.com>

Looks good. Thanks.

Acked-by: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>

> ---
>  fs/fat/namei_msdos.c | 7 ++++++-
>  fs/fat/namei_vfat.c  | 7 ++++++-
>  2 files changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c
> index 0b920ee40a7f..262ec1b790b5 100644
> --- a/fs/fat/namei_msdos.c
> +++ b/fs/fat/namei_msdos.c
> @@ -325,7 +325,12 @@ static int msdos_rmdir(struct inode *dir, struct dentry *dentry)
>  	err = fat_remove_entries(dir, &sinfo);	/* and releases bh */
>  	if (err)
>  		goto out;
> -	drop_nlink(dir);
> +	if (dir->i_nlink >= 3)
> +		drop_nlink(dir);
> +	else {
> +		fat_fs_error(sb, "parent dir link count too low (%u)",
> +			dir->i_nlink);
> +	}
>  
>  	clear_nlink(inode);
>  	fat_truncate_time(inode, NULL, S_CTIME);
> diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c
> index 5dbc4cbb8fce..47ff083cfc7e 100644
> --- a/fs/fat/namei_vfat.c
> +++ b/fs/fat/namei_vfat.c
> @@ -803,7 +803,12 @@ static int vfat_rmdir(struct inode *dir, struct dentry *dentry)
>  	err = fat_remove_entries(dir, &sinfo);	/* and releases bh */
>  	if (err)
>  		goto out;
> -	drop_nlink(dir);
> +	if (dir->i_nlink >= 3)
> +		drop_nlink(dir);
> +	else {
> +		fat_fs_error(sb, "parent dir link count too low (%u)",
> +			dir->i_nlink);
> +	}
>  
>  	clear_nlink(inode);
>  	fat_truncate_time(inode, NULL, S_ATIME|S_MTIME);

-- 
OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ