| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <839306c1-5f7a-4e89-b2cf-7534d279a03c@kernel.org>
Date: Thu, 9 Oct 2025 10:54:40 +0800
From: Chao Yu <chao@...nel.org>
To: "Nikola Z. Ivanov" <zlatistiv@...il.com>, jaegeuk@...nel.org,
linux-f2fs-devel@...ts.sourceforge.net
Cc: chao@...nel.org, linux-kernel@...r.kernel.org, skhan@...uxfoundation.org,
david.hunter.linux@...il.com,
linux-kernel-mentees@...ts.linuxfoundation.org, khalid@...nel.org,
syzbot+c07d47c7bc68f47b9083@...kaller.appspotmail.com
Subject: Re: [PATCH] f2fs: Perform sanity check before unlinking directory
inode
On 10/3/2025 9:47 PM, Nikola Z. Ivanov wrote:
> Current i_nlink corruption check does not take into account
> directory inodes which have one additional i_nlink for their "." entry.
>
> Add additional check and a common corruption path.
>
> Reported-by: syzbot+c07d47c7bc68f47b9083@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c07d47c7bc68f47b9083
> Fixes: 81edb983b3f5 ("f2fs: add check for deleted inode")
> Signed-off-by: Nikola Z. Ivanov <zlatistiv@...il.com>
> ---
> fs/f2fs/namei.c | 28 ++++++++++++++++++++--------
> 1 file changed, 20 insertions(+), 8 deletions(-)
>
> diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
> index b882771e4699..68b33e8089b0 100644
> --- a/fs/f2fs/namei.c
> +++ b/fs/f2fs/namei.c
> @@ -502,12 +502,14 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
> goto out;
> }
>
> - if (inode->i_nlink == 0) {
> + if (unlikely(inode->i_nlink == 0)) {
> f2fs_warn(F2FS_I_SB(inode), "%s: inode (ino=%lx) has zero i_nlink",
> __func__, inode->i_ino);
> - err = -EFSCORRUPTED;
> - set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
> - goto out_iput;
> + goto corrupted;
> + } else if (unlikely(S_ISDIR(inode->i_mode) && inode->i_nlink == 1)) {
> + f2fs_warn(F2FS_I_SB(inode), "%s: directory inode (ino=%lx) has a single i_nlink",
> + __func__, inode->i_ino);
> + goto corrupted;
Can we detect such corruption in sanity_check_inode() as well? So that if
f2fs internal flow calls f2fs_iget() on corrupted inode, we can set SBI_NEED_FSCK
flag and then triggering fsck repairment later.
Thanks,
> }
>
> if (IS_ENCRYPTED(dir) &&
> @@ -533,6 +535,9 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
> trace_f2fs_lookup_end(dir, !IS_ERR_OR_NULL(new) ? new : dentry,
> ino, IS_ERR(new) ? PTR_ERR(new) : err);
> return new;
> +corrupted:
> + err = -EFSCORRUPTED;
> + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
> out_iput:
> iput(inode);
> out:
> @@ -572,10 +577,11 @@ static int f2fs_unlink(struct inode *dir, struct dentry *dentry)
> if (unlikely(inode->i_nlink == 0)) {
> f2fs_warn(F2FS_I_SB(inode), "%s: inode (ino=%lx) has zero i_nlink",
> __func__, inode->i_ino);
> - err = -EFSCORRUPTED;
> - set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
> - f2fs_folio_put(folio, false);
> - goto fail;
> + goto corrupted;
> + } else if (unlikely(S_ISDIR(inode->i_mode) && inode->i_nlink == 1)) {
> + f2fs_warn(F2FS_I_SB(inode), "%s: directory inode (ino=%lx) has a single i_nlink",
> + __func__, inode->i_ino);
> + goto corrupted;
> }
>
> f2fs_balance_fs(sbi, true);
> @@ -601,6 +607,12 @@ static int f2fs_unlink(struct inode *dir, struct dentry *dentry)
>
> if (IS_DIRSYNC(dir))
> f2fs_sync_fs(sbi->sb, 1);
> +
> + goto fail;
> +corrupted:
> + err = -EFSCORRUPTED;
> + set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
> + f2fs_folio_put(folio, false);
> fail:
> trace_f2fs_unlink_exit(inode, err);
> return err;
Powered by blists - more mailing lists