udf: Verify inode link counts before performing rename

[ Upstream commit 6756af923e06aa33ad8894aaecbf9060953ba00f ]

During rename, we are updating link counts of various inodes either when
rename deletes target or when moving directory across directories.
Verify involved link counts are sane so that we don't trip warnings in
VFS.

Reported-by: syzbot+3ff7365dc04a6bcafa66@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index 2be775d30ac104e7c046237da21faa770f4adc6c..2cb49b6b07168a8195ce10391546c2e8bc110983 100644 (file)
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -791,8 +791,18 @@ static int udf_rename(struct mnt_idmap *idmap, struct inode *old_dir,
                        retval = -ENOTEMPTY;
                        if (!empty_dir(new_inode))
                                goto out_oiter;
+                       retval = -EFSCORRUPTED;
+                       if (new_inode->i_nlink != 2)
+                               goto out_oiter;
                }
+               retval = -EFSCORRUPTED;
+               if (old_dir->i_nlink < 3)
+                       goto out_oiter;
                is_dir = true;
+       } else if (new_inode) {
+               retval = -EFSCORRUPTED;
+               if (new_inode->i_nlink < 1)
+                       goto out_oiter;
        }
        if (is_dir && old_dir != new_dir) {
                retval = udf_fiiter_find_entry(old_inode, &dotdot_name,