[{"id":3673461,"web_url":"http://patchwork.ozlabs.org/comment/3673461/","msgid":"<90fe3801-7723-553c-6384-c6a42a5932cc@basealt.ru>","list_archive_url":null,"date":"2026-04-04T15:27:37","subject":"Re: [PATCH 0/2] ext2: fix WARN_ON in drop_nlink() triggered by\n corrupt images","submitter":{"id":86433,"url":"http://patchwork.ozlabs.org/api/people/86433/","name":"Vasiliy Kovalev","email":"kovalev@altlinux.org"},"content":"On 4/2/26 01:08, Vasiliy Kovalev wrote:\n> A crafted ext2 image can contain a directory entry pointing to an inode\n> whose on-disk i_links_count is zero. ext2 mounts such an image without\n> error. Any subsequent syscall that decrements i_nlink on that inode\n> triggers WARN_ON inside drop_nlink() in fs/inode.c.\n> \n> These patches prevent the warning by validating i_nlink before decrementing\n> it in ext2_unlink() and ext2_rename(), reporting the corruption via\n> ext2_error() instead.\n> \n> The issues were found by Linux Verification Center (linuxtesting.org)\n> with Syzkaller.\n> \n> Vasiliy Kovalev (2):\n>    ext2: validate i_nlink before decrement in ext2_unlink()\n>    ext2: guard against zero i_nlink on new_inode in ext2_rename()\n\nSyzkaller found a third trigger via ext2_rmdir(). Rather than adding\nanother guard in namei.c, I fixed the root cause in ext2_iget() instead \n- a single check there covers all three cases at once.\n\nNew patch: \nhttps://lore.kernel.org/all/20260404152011.2590197-1-kovalev@altlinux.org/\n\nIf the previous two patches have not been picked up yet, please\nconsider this one as a replacement for the entire series.\n\n>   fs/ext2/namei.c | 14 +++++++++++++-\n>   1 file changed, 13 insertions(+), 1 deletion(-)\n> \n> --- [Reproducer for PATCH 1/2: ext2_unlink] ---\n> [...]\n> \n> --- [Reproducer for PATCH 2/2: ext2_rename] ---\n> [...]","headers":{"Return-Path":"\n <SRS0=z9Qn=CD=vger.kernel.org=linux-ext4+bounces-15640-patchwork-incoming=ozlabs.org@ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-ext4@vger.kernel.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","patchwork-incoming@ozlabs.org"],"Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=150.107.74.76; helo=mail.ozlabs.org;\n envelope-from=srs0=z9qn=cd=vger.kernel.org=linux-ext4+bounces-15640-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)","gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=172.105.105.114 arc.chain=subspace.kernel.org","gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org","gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15640-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=193.43.8.18","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=altlinux.org"],"Received":["from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnzxJ5yQxz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 05 Apr 2026 02:27:48 +1100 (AEDT)","from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4fnzxJ0Bk8z4wJ7\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 05 Apr 2026 02:27:48 +1100 (AEDT)","by gandalf.ozlabs.org (Postfix)\n\tid 4fnzxJ07Frz4wJ2; Sun, 05 Apr 2026 02:27:48 +1100 (AEDT)","from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4fnzxC6hpsz4wDm\n\tfor <patchwork-incoming@ozlabs.org>; Sun, 05 Apr 2026 02:27:43 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 1F346300B558\n\tfor <patchwork-incoming@ozlabs.org>; Sat,  4 Apr 2026 15:27:42 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 5F355285066;\n\tSat,  4 Apr 2026 15:27:41 +0000 (UTC)","from air.basealt.ru (air.basealt.ru [193.43.8.18])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id DC27BC8E6;\n\tSat,  4 Apr 2026 15:27:39 +0000 (UTC)","from [10.88.16.7] (unknown [193.43.11.2])\n\t(Authenticated sender: kovalevvv)\n\tby air.basealt.ru (Postfix) with ESMTPSA id C9EDC23372;\n\tSat,  4 Apr 2026 18:27:37 +0300 (MSK)"],"ARC-Seal":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1775316468; cv=pass;\n\tb=MDoTZiLBN4/Io6U9BmA+scMC3MNgiPz7IZutPrxp4CP2Uy/4jgdMzKChzyWbe4NWbIzJYRsNZ4oXtAaakxfR4dBbV1G5Sx7/GJaD4iaOpAfOszFAtw2suN+IcM8lAn/Nal+keot48h0RThSPGHlLiXRoqOpKIQQUKw1pvW1kMfVfXH3xb3gjcEzKESuYFSW0DY52ahxWRyMVSNAf4VvdwYxtPZxip9Hi5Vg4P/qvD44uJFr5iqzJtcsXOyMOUawGb3lISUu6Yxjl7z4QoHsxbKC+sAs2Xx+KAARhrhSJqHr4oTWIL1WTJYWgZh2m+cTGilEAyP0GTlaPj+s2VqZbaA==","i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775316461; cv=none;\n b=urzm2SecZoxqbGUD9ZfPCFymLjS3Ljm8BFFJE+62df6lqIQq89Rk9TYBdOXVtJorTqdmzquwUdMe2FMqqwjIXPiBNbZlsFymQ8v88kvXJG7PaXVbqzp2ExL5w5zRQ35qINd8YuzO1O/BZkWBwYq1SXM+UbKPsxREZlBqoo46Jl0="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1775316468; c=relaxed/relaxed;\n\tbh=stzyjW5oGpvMpit6KpvOXBjqeSuqm2i3gy6aJ/y2lEM=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=Q+ddhoAmzeKrTCLwJVAT1bS1Tqa9yORqprGq48zrxas1dvCVoyceBxJX3Dp7E95YK1Cs0Ti97favrA5i4s8m428P10j85YuZK0qke9rYmLWIQgbn4IbWcHab2VzuZw+h0FpiWEpHpM4xlkg+DwqAKRJX6vIK64FACfhPGL12du8eaIU4ViI0dSNZs3SJSvGSH8zb/x0n+rsjnZDoiC8nZP9aomnU8oyt0rhqO690UjxlQkUrTMoFB1F0s3iMFbxwVPgwC6oAd9XmBoB1YJpntWz4Wmpl7DHmeduORxiMEaQZ1918vDsV96AizKwk2xhVGp6ImVHWn3qAgtM8AKzmpA==","i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775316461; c=relaxed/simple;\n\tbh=YGRt012qr0du0L8F+GQbZnl8zXR4jO6pz+okydoqoY4=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=gy6lPin3VfdhKl7usCjZ8UuZWWt9QIka3RiM45/Kx4wTOYbviwEH+g4mq+Zr4bk2fDfsdmlWafhK0zNnPr0ybbquWDmExs5Ps/tKsR6Kl7K2syQmm8H1XKUyAMlF3HAyEMxBIU9PlFjsQ+PKVULyVudMiNy+oTBimIgD0Z2paqI="],"ARC-Authentication-Results":["i=2; gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15640-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org","i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=193.43.8.18"],"Message-ID":"<90fe3801-7723-553c-6384-c6a42a5932cc@basealt.ru>","Date":"Sat, 4 Apr 2026 18:27:37 +0300","Precedence":"bulk","X-Mailing-List":"linux-ext4@vger.kernel.org","List-Id":"<linux-ext4.vger.kernel.org>","List-Subscribe":"<mailto:linux-ext4+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-ext4+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101\n Thunderbird/102.11.0","Subject":"Re: [PATCH 0/2] ext2: fix WARN_ON in drop_nlink() triggered by\n corrupt images","To":"Jan Kara <jack@suse.com>, Andrew Morton <akpm@osdl.org>,\n Alexey Dobriyan <adobriyan@gmail.com>, linux-ext4@vger.kernel.org","Cc":"linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org","References":"<20260401220837.2424925-1-kovalev@altlinux.org>","Content-Language":"en-US","From":"Vasiliy Kovalev <kovalev@altlinux.org>","In-Reply-To":"<20260401220837.2424925-1-kovalev@altlinux.org>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"7bit","X-Spam-Status":"No, score=-2.9 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,\n\tNICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=disabled version=4.0.1","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org"}}]