lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171016012852.pz63e7hd67c7ipy5@thunk.org>
Date:   Sun, 15 Oct 2017 21:28:52 -0400
From:   Theodore Ts'o <tytso@....edu>
To:     Kilian Cavalotti <kilian.cavalotti.work@...il.com>
Cc:     Andreas Dilger <adilger@...ger.ca>, linux-ext4@...r.kernel.org
Subject: Re: Recover from a "deleted inode referenced" situation

On Sun, Oct 15, 2017 at 04:37:03PM -0700, Kilian Cavalotti wrote:
> The timeline was:
> 1. mounted r/o
> 2. "du /mnt/path/to/deep/dir" returned decent value
> 3. started rsyncĂ­ng data out
> 4. mounted r/w
> 5. errors started to appear in the rsync process
> 6. "ls /mnt/path" returned I/O error and "deleted inode referenced"
> 
> So I _think_ that the filesystem was mostly ok before the r/w remount,
> because the first-level directory of my initial "du", which worked,
> ended up disappearing.

I agree with you; if the initial du worked, but then a du after the
r/w remount failed, then the second possibility is more likely what
happened.

> I think it started online, but I'm not even sure it actually did it. I
> don't have enough logs from that part to be sure what happened. I
> believe resize2fs may actually have refused to operate, because of
> pre-existing ext4 errors, but in the end, the filesystem appears to
> have been resized anyways... So maybe the online tentative didn't
> work, and the vendor automated process tried again an offline resize?
> Is there any possibility that the filesystem could appear to be
> resized (extended) with the actual inode table still referencing the
> pre-resize one?

It's possible, I suppose.  If the vendor script unmounted the file
system and then attempted to run e2fsck -fy to fix the file system,
perhaps.  In which case the damage could also have been done by the
e2fsck -fy run, depending on how badly the file system was corrupted
before this whole procedure was started.

But that would imply that the NAS box would have to stop serving the
file system, and it would have been pretty obviously an off-line
procedure.

Good luck,

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ