| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251025143918.9106-2-eraykrdg1@gmail.com>
Date: Sat, 25 Oct 2025 17:39:19 +0300
From: Ahmet Eray Karadag <eraykrdg1@...il.com>
To: mark@...heh.com,
jlbec@...lplan.org,
joseph.qi@...ux.alibaba.com
Cc: ocfs2-devel@...ts.linux.dev,
linux-kernel@...r.kernel.org,
david.hunter.linux@...il.com,
skhan@...uxfoundation.org,
Ahmet Eray Karadag <eraykrdg1@...il.com>,
syzbot+55c40ae8a0e5f3659f2b@...kaller.appspotmail.com,
Albin Babu Varghese <albinbabuvarghese20@...il.com>
Subject: [PATCH v4] ocfs2: Invalidate inode if i_mode is zero after block read
A panic occurs in ocfs2_unlink due to WARN_ON(inode->i_nlink == 0) when
handling a corrupted inode with i_mode=0 and i_nlink=0 in memory.
This "zombie" inode is created because ocfs2_read_locked_inode proceeds
even after ocfs2_validate_inode_block successfully validates a block
that structurally looks okay (passes checksum, signature etc.) but
contains semantically invalid data (specifically i_mode=0). The current
validation function doesn't check for i_mode being zero.
This results in an in-memory inode with i_mode=0 being added to the VFS
cache, which later triggers the panic during unlink.
Prevent this by adding an explicit check for i_mode == 0 within
ocfs2_validate_inode_block. If i_mode is zero, return -EFSCORRUPTED to signal
corruption. This causes the caller (ocfs2_read_locked_inode) to invoke
make_bad_inode(), correctly preventing the zombie inode from entering
the cache.
---
[RFC]:
The current fix handles i_mode=0 corruption detected during inode read
by returning -EFSCORRUPTED from ocfs2_validate_inode_block, which leads to
make_bad_inode() being called, preventing the corrupted inode from
entering the cache. This approach avoids immediately forcing the entire
filesystem read-only, assuming the corruption might be localized to
this inode.
Is this less aggressive error handling strategy appropriate for i_mode=0
corruption? Or is this condition considered severe enough that we *should*
explicitly call ocfs2_error() within the validation function to guarantee
the filesystem is marked read-only immediately upon detection?
Feedback and testing on the correct severity assessment and error
handling for this type of corruption would be appreciated.
Reported-by: syzbot+55c40ae8a0e5f3659f2b@...kaller.appspotmail.com
Fixes: https://syzkaller.appspot.com/bug?extid=55c40ae8a0e5f3659f2b
Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@...il.com>
Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@...il.com>
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@...il.com>
---
v2:
- Reviewed how ext4 handling same situation and we come up with this
solution
---
v3:
- Implement combined check for nlink=0, mode=0 and non-orphan
as requested.
---
v4:
- Fix code alignment issues
---
fs/ocfs2/inode.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index 14bf440ea4df..d966df3aa605 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1455,7 +1455,14 @@ int ocfs2_validate_inode_block(struct super_block *sb,
(unsigned long long)bh->b_blocknr);
goto bail;
}
-
+ if (!le16_to_cpu(di->i_links_count) && !le16_to_cpu(di->i_mode) &&
+ !(le32_to_cpu(di->i_flags) & OCFS2_ORPHANED_FL)) {
+ mlog(ML_ERROR, "Invalid dinode #%llu: "
+ "Corrupt state (nlink=0, mode=0, !orphan) detected!\n",
+ (unsigned long long)bh->b_blocknr);
+ rc = -EFSCORRUPTED;
+ goto bail;
+ }
/*
* Errors after here are fatal.
*/
--
2.43.0
Powered by blists - more mailing lists