[PATCH] fat: avoid parent link count underflow in rmdir
From: Zhiyu Zhang
Date: Thu Jan 01 2026 - 06:12:21 EST
Corrupted FAT images can leave a directory inode with an incorrect
i_nlink (e.g. 2 even though subdirectories exist). rmdir then
unconditionally calls drop_nlink(dir) and can drive i_nlink to 0,
triggering the WARN_ON in drop_nlink().
Add a sanity check in vfat_rmdir() and msdos_rmdir(): only drop the
parent link count when it is at least 3, otherwise report a filesystem
error.
Fixes: 9a53c3a783c2 ("[PATCH] r/o bind mounts: unlink: monitor i_nlink")
Reported-by: Zhiyu Zhang <zhiyuzhang999@xxxxxxxxx>
Closes: https://lore.kernel.org/linux-fsdevel/aVN06OKsKxZe6-Kv@xxxxxxxxxxxxxxxxxxxx/T/#t
Tested-by: Zhiyu Zhang <zhiyuzhang999@xxxxxxxxx>
Signed-off-by: Zhiyu Zhang <zhiyuzhang999@xxxxxxxxx>
---
fs/fat/namei_msdos.c | 7 ++++++-
fs/fat/namei_vfat.c | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c
index 0b920ee40a7f..262ec1b790b5 100644
--- a/fs/fat/namei_msdos.c
+++ b/fs/fat/namei_msdos.c
@@ -325,7 +325,12 @@ static int msdos_rmdir(struct inode *dir, struct dentry *dentry)
err = fat_remove_entries(dir, &sinfo); /* and releases bh */
if (err)
goto out;
- drop_nlink(dir);
+ if (dir->i_nlink >= 3)
+ drop_nlink(dir);
+ else {
+ fat_fs_error(sb, "parent dir link count too low (%u)",
+ dir->i_nlink);
+ }
clear_nlink(inode);
fat_truncate_time(inode, NULL, S_CTIME);
diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c
index 5dbc4cbb8fce..47ff083cfc7e 100644
--- a/fs/fat/namei_vfat.c
+++ b/fs/fat/namei_vfat.c
@@ -803,7 +803,12 @@ static int vfat_rmdir(struct inode *dir, struct dentry *dentry)
err = fat_remove_entries(dir, &sinfo); /* and releases bh */
if (err)
goto out;
- drop_nlink(dir);
+ if (dir->i_nlink >= 3)
+ drop_nlink(dir);
+ else {
+ fat_fs_error(sb, "parent dir link count too low (%u)",
+ dir->i_nlink);
+ }
clear_nlink(inode);
fat_truncate_time(inode, NULL, S_ATIME|S_MTIME);
--
2.34.1