Re: [PATCH] fs: minix: Fix handling of corrupted directories

[Jan Kara]

On Fri 02-05-25 19:43:36, Andrey Kriulin wrote:
> If the directory is corrupted and the number of nlinks is less than 2 
> (valid nlinks have at least 2), then when the directory is deleted, the
> minix_rmdir will try to reduce the nlinks(unsigned int) to a negative
> value.
> 
> Make nlinks validity check for directory in minix_lookup.
> 
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Andrey Kriulin <kitotavrik.media@xxxxxxxxx>

Thanks for the patch. One comment below.

> diff --git a/fs/minix/namei.c b/fs/minix/namei.c
> index 8938536d8..5717a56fa 100644
> --- a/fs/minix/namei.c
> +++ b/fs/minix/namei.c
> @@ -28,8 +28,13 @@ static struct dentry *minix_lookup(struct inode * dir, struct dentry *dentry, un
>  		return ERR_PTR(-ENAMETOOLONG);
>  
>  	ino = minix_inode_by_name(dentry);
> -	if (ino)
> +	if (ino) {
>  		inode = minix_iget(dir->i_sb, ino);
> +		if (S_ISDIR(inode->i_mode) && inode->i_nlink < 2) {
> +			iput(inode);
> +			return ERR_PTR(-EIO);
> +		}
> +	}
>  	return d_splice_alias(inode, dentry);
>  }

I don't think this is the best place to handle such check. IMO it would be
more logical to do it in minix_iget() - V[12]_minix_iget() to be more
precise - to properly catch all the paths where the inode is loaded into
memory. This way your check will not happen for the root directory inode
for example.

								Honza
-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR