This is a note to let you know that I've just added the patch titled udf: Detect system inodes linked into directory hierarchy to the 6.2-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: udf-detect-system-inodes-linked-into-directory-hierarchy.patch and it can be found in the queue-6.2 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 85a37983ec69cc9fcd188bc37c4de15ee326355a Mon Sep 17 00:00:00 2001 From: Jan Kara <jack@xxxxxxx> Date: Tue, 3 Jan 2023 10:03:35 +0100 Subject: udf: Detect system inodes linked into directory hierarchy From: Jan Kara <jack@xxxxxxx> commit 85a37983ec69cc9fcd188bc37c4de15ee326355a upstream. When UDF filesystem is corrupted, hidden system inodes can be linked into directory hierarchy which is an avenue for further serious corruption of the filesystem and kernel confusion as noticed by syzbot fuzzed images. Refuse to access system inodes linked into directory hierarchy and vice versa. CC: stable@xxxxxxxxxxxxxxx Reported-by: syzbot+38695a20b8addcbc1084@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Jan Kara <jack@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/udf/inode.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1885,8 +1885,13 @@ struct inode *__udf_iget(struct super_bl if (!inode) return ERR_PTR(-ENOMEM); - if (!(inode->i_state & I_NEW)) + if (!(inode->i_state & I_NEW)) { + if (UDF_I(inode)->i_hidden != hidden_inode) { + iput(inode); + return ERR_PTR(-EFSCORRUPTED); + } return inode; + } memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); err = udf_read_inode(inode, hidden_inode); Patches currently in stable-queue which might be from jack@xxxxxxx are queue-6.2/udf-fix-file-corruption-when-appending-just-after-end-of-preallocated-extent.patch queue-6.2/sbitmap-correct-wake_batch-recalculation-to-avoid-po.patch queue-6.2/udf-do-not-update-file-length-for-failed-writes-to-inline-files.patch queue-6.2/udf-truncate-added-extents-on-failed-expansion.patch queue-6.2/udf-detect-system-inodes-linked-into-directory-hierarchy.patch queue-6.2/udf-do-not-bother-merging-very-long-extents.patch queue-6.2/udf-define-efscorrupted-error-code.patch queue-6.2/sbitmap-remove-redundant-check-in-__sbitmap_queue_ge.patch queue-6.2/udf-preserve-link-count-of-system-files.patch