lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 12 Jul 2019 16:28:27 -0400
From:   "Theodore Ts'o" <>
To:     Thomas Walker <>
Cc:     Geoffrey Thomas <>,
        "'Jan Kara'" <>,
        "''" <>,
        "Darrick J. Wong" <>
Subject: Re: Phantom full ext4 root filesystems on 4.1 through 4.14 kernels

On Fri, Jul 12, 2019 at 03:19:03PM -0400, Thomas Walker wrote:
> Clearing orphaned inode 1048838 (uid=0, gid=4, mode=0100640, size=39006841856)

> Of particular note, ino 1048838 matches the size of the space that we "lost".

Hmmm... what's gid 4?  Is that a hint of where the inode might have come from?

Can you try the this experiment of e2image... e2fsck, but add a "cp
--sparse" of the e2i file between the e2image and e2fsck step?  Then
when you can identify the inode that has the huge amount of the
orphaned space, try grab the first couple of blocks, and then run
"file" on the first part of the file, which might help you identify
where the file came from.  Is it an ISO file?  etc.

The goal is to come up with a repeatable way of forcing the failure,
so we can understand the root cause of the "lost space".  The fact
that it's an orphaned inode means that something was hanging onto the
inode.  The question is what part of the kernel was keeping the ref
count elevated.


						- Ted

Powered by blists - more mailing lists