Patch "ext4: Fix possible corruption when moving a directory" has been added to the 6.2-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 13 Mar 2023 08:07:42 -0400

This is a note to let you know that I've just added the patch titled

    ext4: Fix possible corruption when moving a directory

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ext4-fix-possible-corruption-when-moving-a-directory.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8dfaa2f922d1040474f66467cf1305559d022dce
Author: Jan Kara <jack@xxxxxxx>
Date:   Thu Jan 26 12:22:21 2023 +0100

    ext4: Fix possible corruption when moving a directory
    
    [ Upstream commit 0813299c586b175d7edb25f56412c54b812d0379 ]
    
    When we are renaming a directory to a different directory, we need to
    update '..' entry in the moved directory. However nothing prevents moved
    directory from being modified and even converted from the inline format
    to the normal format. When such race happens the rename code gets
    confused and we crash. Fix the problem by locking the moved directory.
    
    CC: stable@xxxxxxxxxxxxxxx
    Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir")
    Signed-off-by: Jan Kara <jack@xxxxxxx>
    Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@xxxxxxx
    Signed-off-by: Theodore Ts'o <tytso@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 924e16b239e07..e8f429330f3c3 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3873,9 +3873,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
 			if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir))
 				goto end_rename;
 		}
+		/*
+		 * We need to protect against old.inode directory getting
+		 * converted from inline directory format into a normal one.
+		 */
+		inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
 		retval = ext4_rename_dir_prepare(handle, &old);
-		if (retval)
+		if (retval) {
+			inode_unlock(old.inode);
 			goto end_rename;
+		}
 	}
 	/*
 	 * If we're renaming a file within an inline_data dir and adding or
@@ -4007,6 +4014,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
 	} else {
 		ext4_journal_stop(handle);
 	}
+	if (old.dir_bh)
+		inode_unlock(old.inode);
 release_bh:
 	brelse(old.dir_bh);
 	brelse(old.bh);






