ext4: Fix possible corruption when moving a directory

[ Upstream commit 9561e8b4f5bba08f2f05307910aa819fda55001c ]

When we are renaming a directory to a different directory, we need to
update '..' entry in the moved directory. However nothing prevents moved
directory from being modified and even converted from the inline format
to the normal format. When such race happens the rename code gets
confused and we crash. Fix the problem by locking the moved directory.

CC: stable@vger.kernel.org
Fixes: 4f33f5947495 ("ext4: let ext4_rename handle inline dir")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 9799ed2fdbc09e4a1c6cb75267c9c46faecfac79..dc8f8a435a7ea4c03f0d9fa1cd80582c8f40502b 100644 (file)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3873,9 +3873,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
                        if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir))
                                goto end_rename;
                }
+               /*
+                * We need to protect against old.inode directory getting
+                * converted from inline directory format into a normal one.
+                */
+               inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
                retval = ext4_rename_dir_prepare(handle, &old);
-               if (retval)
+               if (retval) {
+                       inode_unlock(old.inode);
                        goto end_rename;
+               }
        }
        /*
         * If we're renaming a file within an inline_data dir and adding or
@@ -4007,6 +4014,8 @@ end_rename:
        } else {
                ext4_journal_stop(handle);
        }
+       if (old.dir_bh)
+               inode_unlock(old.inode);
 release_bh:
        brelse(old.dir_bh);
        brelse(old.bh);