f2fs: fix potential corruption when moving a directory

commit d94772154e524b329a168678836745d2773a6e02 upstream.

F2FS has the same issue in ext4_rename causing crash revealed by
xfstests/generic/707.

See also commit 0813299c586b ("ext4: Fix possible corruption when moving a directory")

CC: stable@vger.kernel.org
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
index ed95c27e93026bf2192a8ba88cfa3a66ed3f2e14..9cb2a87247b213081cd02bf3ea252eced87cff0c 100644 (file)
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -892,12 +892,20 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
                        goto out;
        }
 
+       /*
+        * Copied from ext4_rename: we need to protect against old.inode
+        * directory getting converted from inline directory format into
+        * a normal one.
+        */
+       if (S_ISDIR(old_inode->i_mode))
+               inode_lock_nested(old_inode, I_MUTEX_NONDIR2);
+
        err = -ENOENT;
        old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page);
        if (!old_entry) {
                if (IS_ERR(old_page))
                        err = PTR_ERR(old_page);
-               goto out;
+               goto out_unlock_old;
        }
 
        if (S_ISDIR(old_inode->i_mode)) {
@@ -1025,6 +1033,9 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
 
        f2fs_unlock_op(sbi);
 
+       if (S_ISDIR(old_inode->i_mode))
+               inode_unlock(old_inode);
+
        if (IS_DIRSYNC(old_dir) || IS_DIRSYNC(new_dir))
                f2fs_sync_fs(sbi->sb, 1);
 
@@ -1040,6 +1051,9 @@ out_dir:
                f2fs_put_page(old_dir_page, 0);
 out_old:
        f2fs_put_page(old_page, 0);
+out_unlock_old:
+       if (S_ISDIR(old_inode->i_mode))
+               inode_unlock(old_inode);
 out:
        if (whiteout)
                iput(whiteout);