| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Jul 2019 16:28:27 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: Thomas Walker <Thomas.Walker@...sigma.com>
Cc: Geoffrey Thomas <Geoffrey.Thomas@...sigma.com>,
"'Jan Kara'" <jack@...e.cz>,
"'linux-ext4@...r.kernel.org'" <linux-ext4@...r.kernel.org>,
"Darrick J. Wong" <darrick.wong@...cle.com>
Subject: Re: Phantom full ext4 root filesystems on 4.1 through 4.14 kernels
On Fri, Jul 12, 2019 at 03:19:03PM -0400, Thomas Walker wrote:
> Clearing orphaned inode 1048838 (uid=0, gid=4, mode=0100640, size=39006841856)
> Of particular note, ino 1048838 matches the size of the space that we "lost".
Hmmm... what's gid 4? Is that a hint of where the inode might have come from?
Can you try the this experiment of e2image... e2fsck, but add a "cp
--sparse" of the e2i file between the e2image and e2fsck step? Then
when you can identify the inode that has the huge amount of the
orphaned space, try grab the first couple of blocks, and then run
"file" on the first part of the file, which might help you identify
where the file came from. Is it an ISO file? etc.
The goal is to come up with a repeatable way of forcing the failure,
so we can understand the root cause of the "lost space". The fact
that it's an orphaned inode means that something was hanging onto the
inode. The question is what part of the kernel was keeping the ref
count elevated.
Thanks,
- Ted
Powered by blists - more mailing lists