The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link. When renaming, the file0's inode is marked as a bad inode because the file name cannot be deleted. However, before renaming, file0 is a directory. After the renaming fails, it is marked as a bad inode, which makes it a regular file. In any case, when opening it after creating a hard link, pick_link() should not be entered because it is not a symbolic link from beginning to end. Add a check on the symbolic link before entering pick_link() to avoid triggering unknown exceptions when performing the i_link acquisition operation on other types of files. Reported-by: syzbot+1aa90f0eb1fc3e77d969@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=1aa90f0eb1fc3e77d969 Tested-by: syzbot+1aa90f0eb1fc3e77d969@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Edward Adam Davis <eadavis@xxxxxx> --- fs/namei.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/namei.c b/fs/namei.c index 4bb889fc980b..1524a5359d46 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2005,6 +2005,10 @@ static const char *step_into(struct nameidata *nd, int flags, if (path.mnt == nd->path.mnt) mntget(path.mnt); } + + if (inode && !S_ISLNK(inode->i_mode)) + return NULL; + return pick_link(nd, &path, inode, flags); } -- 2.43.0
