Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp4710703rwb;
        Tue, 17 Jan 2023 04:40:12 -0800 (PST)
X-Google-Smtp-Source: AMrXdXuLd0pq6OALLgGnxQtLSKwK18w7FTFBvcdfYlxWcziiKLAk9vPsm7PSn0FLqUathUnGB0y8
X-Received: by 2002:a17:90a:1285:b0:229:679b:bf9c with SMTP id g5-20020a17090a128500b00229679bbf9cmr3273606pja.9.1673959212549;
        Tue, 17 Jan 2023 04:40:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673959212; cv=none;
        d=google.com; s=arc-20160816;
        b=dJ1iEnkH0YqSrjZx9OpMZPN0v0InYjv+g0pqD1IyDZ+qm9YKHVmrKg6/8XktY+K/W1
         pYIjU5ZswtgDedTtNk3RBQXho6KcLRuoMFogC/+ZIKLkeiO2wZEipDhpPCFey3z8QhK3
         egpgNjlRMeXw55YfhLA44u6n2Xc3QXi9BL6rZBZQ6KbEhQaRWvaSfI0lv4xO4l98hzF9
         Z8dUfxfKO7IROa9fcDxfFfPr0UTbncPqi9LfaSlByyXTfEpdmjrj6+KY6WcQjTK1pbXG
         FMssF8/PgIHzY92hiDIeD1AIMxmlKJOVxY/Vdh7RLnHnmK56NZw3dpsp9nzVyJv1BRRe
         2f8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:cc:to:from:date:dkim-signature:dkim-signature;
        bh=D/Gwv1OQXVt03JIY3T875i7foDn1vhu4dyLpEgQk+hk=;
        b=WANiiH4fmyVUM193ghjglkO8NipUuePfPjQjumYCLJeuTsKPpkcO93ejru7Vy4iY2g
         0+5Upr0K3Jus1LGYh0Cs5cyWwi8vrbw9lpSfTXCVc9Ib4LB1UWe/3FCZmIVO2SOVZFS8
         zSfkbhKo4M34bNuDh6aduQMSjbtmFOERC0xU8PRiIjiCUKgMdkepq6lAbbSq/0X0i5He
         SdzVQN7H8rVt5SrRmwxlRkMLXY22zVEiVGmjYHUqlu5coTIINJyO7s2YLAD52AtG4QZM
         q2jAPOuwI1tS1ClhKUi18Me0uNdHpZuWAbpp8+PFIR1o6IDEdZSu+BqHnzzpwhsSHeD9
         2BIA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=grjCvqvP;
       dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=V2EkX1GQ;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id oe9-20020a17090b394900b00229b4d71706si220351pjb.29.2023.01.17.04.39.54;
        Tue, 17 Jan 2023 04:40:12 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=grjCvqvP;
       dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=V2EkX1GQ;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236523AbjAQMhk (ORCPT <rfc822;aminbrickmover@gmail.com>
        + 99 others); Tue, 17 Jan 2023 07:37:40 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57326 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236129AbjAQMhj (ORCPT
        <rfc822;linux-ext4@vger.kernel.org>); Tue, 17 Jan 2023 07:37:39 -0500
Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88D2E252A0;
        Tue, 17 Jan 2023 04:37:38 -0800 (PST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id 41F1A37BC6;
        Tue, 17 Jan 2023 12:37:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
        t=1673959057; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type;
        bh=D/Gwv1OQXVt03JIY3T875i7foDn1vhu4dyLpEgQk+hk=;
        b=grjCvqvP9dywlcw43DCV5jmq+6yH2pIyVWgZDJu8Pp/FgJgk9BexIQwneUud8ZAhCP1AKB
        35Cz2an/3MSNhfIUlf8FeL3/gT+U/UIgMr3+afb/kRRw0Oqto9eTlKPXFNHupkVYZE93KY
        IrdKnu2eE9NbNKQ+pypAufeU+H4e77E=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
        s=susede2_ed25519; t=1673959057;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type;
        bh=D/Gwv1OQXVt03JIY3T875i7foDn1vhu4dyLpEgQk+hk=;
        b=V2EkX1GQV8y/mqr9WNiNdzlvQzNM0eiuUbkg/2jwte18RiIvuv0/zS0gNKyvjZ0T4ff9kQ
        9f61xM6dWwTh+ZAg==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 228361390C;
        Tue, 17 Jan 2023 12:37:37 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id Xs5hCJGWxmMlaAAAMHmgww
        (envelope-from <jack@suse.cz>); Tue, 17 Jan 2023 12:37:37 +0000
Received: by quack3.suse.cz (Postfix, from userid 1000)
        id BCB2DA06B2; Tue, 17 Jan 2023 13:37:35 +0100 (CET)
Date:   Tue, 17 Jan 2023 13:37:35 +0100
From:   Jan Kara <jack@suse.cz>
To:     Al Viro <viro@ZenIV.linux.org.uk>
Cc:     linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
        Ted Tso <tytso@mit.edu>, linux-xfs@vger.kernel.org
Subject: Locking issue with directory renames
Message-ID: <20230117123735.un7wbamlbdihninm@quack3>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_SOFTFAIL autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

Hello!

I've some across an interesting issue that was spotted by syzbot [1]. The
report is against UDF but AFAICS the problem exists for ext4 as well and
possibly other filesystems. The problem is the following: When we are
renaming directory 'dir' say rename("foo/dir", "bar/") we lock 'foo' and
'bar' but 'dir' is unlocked because the locking done by vfs_rename() is

        if (!is_dir || (flags & RENAME_EXCHANGE))
                lock_two_nondirectories(source, target);
        else if (target)
                inode_lock(target);

However some filesystems (e.g. UDF but ext4 as well, I suspect XFS may be
hurt by this as well because it converts among multiple dir formats) need
to update parent pointer in 'dir' and nothing protects this update against
a race with someone else modifying 'dir'. Now this is mostly harmless
because the parent pointer (".." directory entry) is at the beginning of
the directory and stable however if for example the directory is converted
from packed "in-inode" format to "expanded" format as a result of
concurrent operation on 'dir', the filesystem gets corrupted (or crashes as
in case of UDF).

So we'd need to lock 'source' if it is a directory. Ideally this would
happen in VFS as otherwise I bet a lot of filesystems will get this wrong
so could vfs_rename() lock 'source' if it is a dir as well? Essentially
this would amount to calling lock_two_nondirectories(source, target)
unconditionally but that would become a serious misnomer ;). Al, any
thought?

								Honza

[1] https://lore.kernel.org/all/000000000000261eb005f2191696@google.com

-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR