The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable@xxxxxxxxxxxxxxx>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 85a37983ec69cc9fcd188bc37c4de15ee326355a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable@xxxxxxxxxxxxxxx>' --in-reply-to '1678110262133121@xxxxxxxxx' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 85a37983ec69 ("udf: Detect system inodes linked into directory hierarchy") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 85a37983ec69cc9fcd188bc37c4de15ee326355a Mon Sep 17 00:00:00 2001 From: Jan Kara <jack@xxxxxxx> Date: Tue, 3 Jan 2023 10:03:35 +0100 Subject: [PATCH] udf: Detect system inodes linked into directory hierarchy When UDF filesystem is corrupted, hidden system inodes can be linked into directory hierarchy which is an avenue for further serious corruption of the filesystem and kernel confusion as noticed by syzbot fuzzed images. Refuse to access system inodes linked into directory hierarchy and vice versa. CC: stable@xxxxxxxxxxxxxxx Reported-by: syzbot+38695a20b8addcbc1084@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Jan Kara <jack@xxxxxxx> diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 9ee269d3d546..96873fa2f683 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1813,8 +1813,13 @@ struct inode *__udf_iget(struct super_block *sb, struct kernel_lb_addr *ino, if (!inode) return ERR_PTR(-ENOMEM); - if (!(inode->i_state & I_NEW)) + if (!(inode->i_state & I_NEW)) { + if (UDF_I(inode)->i_hidden != hidden_inode) { + iput(inode); + return ERR_PTR(-EFSCORRUPTED); + } return inode; + } memcpy(&UDF_I(inode)->i_location, ino, sizeof(struct kernel_lb_addr)); err = udf_read_inode(inode, hidden_inode);