ext4: Fix deadlock during directory rename
authorJan Kara <jack@suse.cz>
Wed, 1 Mar 2023 14:10:04 +0000 (15:10 +0100)
committerTheodore Ts'o <tytso@mit.edu>
Wed, 8 Mar 2023 02:45:38 +0000 (21:45 -0500)
As lockdep properly warns, we should not be locking i_rwsem while having
transactions started as the proper lock ordering used by all directory
handling operations is i_rwsem -> transaction start. Fix the lock
ordering by moving the locking of the directory earlier in
ext4_rename().

Reported-by: syzbot+9d16c39efb5fade84574@syzkaller.appspotmail.com
Fixes: 0813299c586b ("ext4: Fix possible corruption when moving a directory")
Link: https://syzkaller.appspot.com/bug?extid=9d16c39efb5fade84574
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230301141004.15087-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
fs/ext4/namei.c

index e8f429330f3c35c72106ad647258e19d23071180..7cc3918e2f1894b5ded68ca80cc9b59169d46469 100644 (file)
@@ -3813,10 +3813,20 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
                        return retval;
        }
 
+       /*
+        * We need to protect against old.inode directory getting converted
+        * from inline directory format into a normal one.
+        */
+       if (S_ISDIR(old.inode->i_mode))
+               inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
+
        old.bh = ext4_find_entry(old.dir, &old.dentry->d_name, &old.de,
                                 &old.inlined);
-       if (IS_ERR(old.bh))
-               return PTR_ERR(old.bh);
+       if (IS_ERR(old.bh)) {
+               retval = PTR_ERR(old.bh);
+               goto unlock_moved_dir;
+       }
+
        /*
         *  Check for inode number is _not_ due to possible IO errors.
         *  We might rmdir the source, keep it as pwd of some process
@@ -3873,11 +3883,6 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
                        if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir))
                                goto end_rename;
                }
-               /*
-                * We need to protect against old.inode directory getting
-                * converted from inline directory format into a normal one.
-                */
-               inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
                retval = ext4_rename_dir_prepare(handle, &old);
                if (retval) {
                        inode_unlock(old.inode);
@@ -4014,12 +4019,15 @@ end_rename:
        } else {
                ext4_journal_stop(handle);
        }
-       if (old.dir_bh)
-               inode_unlock(old.inode);
 release_bh:
        brelse(old.dir_bh);
        brelse(old.bh);
        brelse(new.bh);
+
+unlock_moved_dir:
+       if (S_ISDIR(old.inode->i_mode))
+               inode_unlock(old.inode);
+
        return retval;
 }