Re: [PATCH] fat: avoid parent link count underflow in rmdir
From: OGAWA Hirofumi
Date: Mon Jan 12 2026 - 11:21:01 EST
Ping?
OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx> writes:
> Zhiyu Zhang <zhiyuzhang999@xxxxxxxxx> writes:
>
>> Corrupted FAT images can leave a directory inode with an incorrect
>> i_nlink (e.g. 2 even though subdirectories exist). rmdir then
>> unconditionally calls drop_nlink(dir) and can drive i_nlink to 0,
>> triggering the WARN_ON in drop_nlink().
>>
>> Add a sanity check in vfat_rmdir() and msdos_rmdir(): only drop the
>> parent link count when it is at least 3, otherwise report a filesystem
>> error.
>>
>> Fixes: 9a53c3a783c2 ("[PATCH] r/o bind mounts: unlink: monitor i_nlink")
>> Reported-by: Zhiyu Zhang <zhiyuzhang999@xxxxxxxxx>
>> Closes: https://lore.kernel.org/linux-fsdevel/aVN06OKsKxZe6-Kv@xxxxxxxxxxxxxxxxxxxx/T/#t
>> Tested-by: Zhiyu Zhang <zhiyuzhang999@xxxxxxxxx>
>> Signed-off-by: Zhiyu Zhang <zhiyuzhang999@xxxxxxxxx>
>
> Looks good. Thanks.
>
> Acked-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
>
>> ---
>> fs/fat/namei_msdos.c | 7 ++++++-
>> fs/fat/namei_vfat.c | 7 ++++++-
>> 2 files changed, 12 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c
>> index 0b920ee40a7f..262ec1b790b5 100644
>> --- a/fs/fat/namei_msdos.c
>> +++ b/fs/fat/namei_msdos.c
>> @@ -325,7 +325,12 @@ static int msdos_rmdir(struct inode *dir, struct dentry *dentry)
>> err = fat_remove_entries(dir, &sinfo); /* and releases bh */
>> if (err)
>> goto out;
>> - drop_nlink(dir);
>> + if (dir->i_nlink >= 3)
>> + drop_nlink(dir);
>> + else {
>> + fat_fs_error(sb, "parent dir link count too low (%u)",
>> + dir->i_nlink);
>> + }
>>
>> clear_nlink(inode);
>> fat_truncate_time(inode, NULL, S_CTIME);
>> diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c
>> index 5dbc4cbb8fce..47ff083cfc7e 100644
>> --- a/fs/fat/namei_vfat.c
>> +++ b/fs/fat/namei_vfat.c
>> @@ -803,7 +803,12 @@ static int vfat_rmdir(struct inode *dir, struct dentry *dentry)
>> err = fat_remove_entries(dir, &sinfo); /* and releases bh */
>> if (err)
>> goto out;
>> - drop_nlink(dir);
>> + if (dir->i_nlink >= 3)
>> + drop_nlink(dir);
>> + else {
>> + fat_fs_error(sb, "parent dir link count too low (%u)",
>> + dir->i_nlink);
>> + }
>>
>> clear_nlink(inode);
>> fat_truncate_time(inode, NULL, S_ATIME|S_MTIME);
--
OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>