Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2219816/?format=api
{ "id": 2219816, "url": "http://patchwork.ozlabs.org/api/patches/2219816/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-ext4/patch/20260404152011.2590197-1-kovalev@altlinux.org/", "project": { "id": 8, "url": "http://patchwork.ozlabs.org/api/projects/8/?format=api", "name": "Linux ext4 filesystem development", "link_name": "linux-ext4", "list_id": "linux-ext4.vger.kernel.org", "list_email": "linux-ext4@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260404152011.2590197-1-kovalev@altlinux.org>", "list_archive_url": null, "date": "2026-04-04T15:20:11", "name": "ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "cae46b8f7c36ddb726178e0e100bb0991e33b3b0", "submitter": { "id": 86433, "url": "http://patchwork.ozlabs.org/api/people/86433/?format=api", "name": "Vasiliy Kovalev", "email": "kovalev@altlinux.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-ext4/patch/20260404152011.2590197-1-kovalev@altlinux.org/mbox/", "series": [ { "id": 498733, "url": "http://patchwork.ozlabs.org/api/series/498733/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-ext4/list/?series=498733", "date": "2026-04-04T15:20:11", "name": "ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498733/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2219816/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2219816/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <SRS0=FTj9=CD=vger.kernel.org=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@ozlabs.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-ext4@vger.kernel.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "patchwork-incoming@ozlabs.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=150.107.74.76; helo=mail.ozlabs.org;\n envelope-from=srs0=ftj9=cd=vger.kernel.org=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)", "gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=\"2600:3c04:e001:36c::12fc:5321\"\n arc.chain=subspace.kernel.org", "gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org", "gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=193.43.8.18", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=altlinux.org" ], "Received": [ "from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnzn106m6z1yCs\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 05 Apr 2026 02:20:36 +1100 (AEDT)", "from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4fnzn03HVLz4wDS\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 05 Apr 2026 02:20:36 +1100 (AEDT)", "by gandalf.ozlabs.org (Postfix)\n\tid 4fnzn039YZz4wJ8; Sun, 05 Apr 2026 02:20:36 +1100 (AEDT)", "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4fnzmw1wf1z4wDS\n\tfor <patchwork-incoming@ozlabs.org>; Sun, 05 Apr 2026 02:20:32 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 9E0BE300B3D8\n\tfor <patchwork-incoming@ozlabs.org>; Sat, 4 Apr 2026 15:20:29 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id CE3E128CF5D;\n\tSat, 4 Apr 2026 15:20:25 +0000 (UTC)", "from air.basealt.ru (air.basealt.ru [193.43.8.18])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id CAC0A277026;\n\tSat, 4 Apr 2026 15:20:22 +0000 (UTC)", "from altlinux.ipa.basealt.ru (unknown [193.43.11.2])\n\t(Authenticated sender: kovalevvv)\n\tby air.basealt.ru (Postfix) with ESMTPSA id F2FA123372;\n\tSat, 4 Apr 2026 18:20:12 +0300 (MSK)" ], "ARC-Seal": [ "i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1775316036; cv=pass;\n\tb=uK/EoaS8Mmsme3eYFUcdenWcZaSbVOoho1x4YcSKS9+kg07x4O9iTNOxNh+Qjivr4ENyyI7ULDNowNs8U0+Xsshu0Q+gHAsN4/vB0TAilaD87pHYwfggo4A1AFAy/2UjmvjDXllRZPDi3sj+IJzlwq5CnzhAqU6lEH0IEmHYvlYTIpmvpG12VTO2x+bPnNNObCZpkNehJnou3QIbrqvzm+0jngd6t6h35kizbN340u3CqPrtjFCk6ocMIg/dgaXOXcbhGGIzNahTeT/i5C/2uH3aiJHOjh8WeX9484b/yIt7PGdgGRBflXCHJpKntrU7PWWfD+Gf1k2IbVzVQT++PQ==", "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775316025; cv=none;\n b=J9B3jlSqnpuCzRntBQ2uumsqkRY48Cbi7meXE2VErwpUOmM0VX6IosZkoV20NAkZ/BTkXTbzErD74rtVQps8aeAMw+iegBWJgCj6+RYynM8DnRNUBiwqdDjGu/vo97Tkdy66BsOQPwSa6GBIeWAWsCb6GsJTnhAXLeDoPWsOesk=" ], "ARC-Message-Signature": [ "i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1775316036; c=relaxed/relaxed;\n\tbh=2qUeqzcmtJL3oDVjHm1ERXcEikcG3zIv3SebLoxMWNM=;\n\th=From:To:Cc:Subject:Date:Message-Id:MIME-Version;\n b=KDoIbSkAFmo7Vj+yNfpj08PZKyr61ZD6kAS5o428IXlxpzcEJTusfEgZ3mDz6Pk5VfT0JvFbJEfx7hBACENfnJAAnMR7ntKyFSuneNZvAMiWAOELfWoVA2ojKriIrxcYMcS36wVR5xrCC2vKyKJs6KMcSrDOJgDN5JnmU76snBCug68Ab0a9lWMJ7w/gABK8zuTo3PGIBfM6060pOH2vEd8i2hA8ii141tU44Zz3ysA0EN7ALdOfYKl77Axj9JlAtNlcBTCgXbXqbCh6uOqb2Q9zs8Utu02B7mtPfeCq/AXqxy4e8Bre1Ur/0Z2V4Jue8qJCKffWBMgjjcRDJZOy9w==", "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775316025; c=relaxed/simple;\n\tbh=tYSMBNByKr+z9h6uIYZ2DGG1o9YGIs77Rau0MOUuVpw=;\n\th=From:To:Cc:Subject:Date:Message-Id:MIME-Version;\n b=nNLRQuiZ5IA+JyHQa7RRzC8wMMfw/IbDU99UPE/7NgDyK1EPkOGdzjRpuqS46OGOu23sxh5tt+2uguEZSUJhBhSnlcNO0tk5L9RCG4cw0QSLvr8S/XQbJrJaa/AgRCZ8deUiNiV2lXSLJb/AfQw+oFTd5zOnKlcrLGNDeHjnwT8=" ], "ARC-Authentication-Results": [ "i=2; gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org", "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=193.43.8.18" ], "From": "Vasiliy Kovalev <kovalev@altlinux.org>", "To": "Jan Kara <jack@suse.com>,\n\tlinux-ext4@vger.kernel.org", "Cc": "Andrew Morton <akpm@osdl.org>,\n\tAlexey Dobriyan <adobriyan@gmail.com>,\n\tlinux-kernel@vger.kernel.org,\n\tlvc-project@linuxtesting.org,\n\tkovalev@altlinux.org", "Subject": "[PATCH] ext2: reject inodes with zero i_nlink and valid mode in\n ext2_iget()", "Date": "Sat, 4 Apr 2026 18:20:11 +0300", "Message-Id": "<20260404152011.2590197-1-kovalev@altlinux.org>", "X-Mailer": "git-send-email 2.33.8", "Precedence": "bulk", "X-Mailing-List": "linux-ext4@vger.kernel.org", "List-Id": "<linux-ext4.vger.kernel.org>", "List-Subscribe": "<mailto:linux-ext4+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-ext4+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Spam-Status": "No, score=-1.1 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,\n\tSPF_HELO_NONE,SPF_PASS autolearn=disabled version=4.0.1", "X-Spam-Checker-Version": "SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org" }, "content": "ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is\nzero or i_dtime is set, treating them as deleted. However, the case of\ni_nlink == 0 with a non-zero mode and zero dtime slips through. Since\next2 has no orphan list, such a combination can only result from\nfilesystem corruption - a legitimate inode deletion always sets either\ni_dtime or clears i_mode before freeing the inode.\n\nA crafted image can exploit this gap to present such an inode to the\nVFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via\next2_unlink(), ext2_rename() and ext2_rmdir():\n\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295\n vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\n do_unlinkat+0x53e/0x730 fs/namei.c:4541\n __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nWARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rename+0x35e/0x850 fs/ext2/namei.c:374\n vfs_rename+0xf2f/0x2060 fs/namei.c:5021\n do_renameat2+0xbe2/0xd50 fs/namei.c:5178\n __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nWARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311\n vfs_rmdir+0x204/0x690 fs/namei.c:4348\n do_rmdir+0x372/0x3e0 fs/namei.c:4407\n __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nExtend the existing i_nlink == 0 check to also catch this case,\nreporting the corruption via ext2_error() and returning -EFSCORRUPTED.\nThis rejects the inode at load time and prevents it from reaching any\nof the namei.c paths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nCc: stable@vger.kernel.org\nSigned-off-by: Vasiliy Kovalev <kovalev@altlinux.org>\n---\n fs/ext2/inode.c | 14 +++++++++++---\n 1 file changed, 11 insertions(+), 3 deletions(-)", "diff": "diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c\nindex dbfe9098a124..39d972722f5f 100644\n--- a/fs/ext2/inode.c\n+++ b/fs/ext2/inode.c\n@@ -1430,9 +1430,17 @@ struct inode *ext2_iget (struct super_block *sb, unsigned long ino)\n \t * the test is that same one that e2fsck uses\n \t * NeilBrown 1999oct15\n \t */\n-\tif (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) {\n-\t\t/* this inode is deleted */\n-\t\tret = -ESTALE;\n+\tif (inode->i_nlink == 0) {\n+\t\tif (inode->i_mode == 0 || ei->i_dtime) {\n+\t\t\t/* this inode is deleted */\n+\t\t\tret = -ESTALE;\n+\t\t} else {\n+\t\t\text2_error(sb, __func__,\n+\t\t\t\t \"inode %lu has zero i_nlink with mode 0%o and no dtime, \"\n+\t\t\t\t \"filesystem may be corrupt\",\n+\t\t\t\t ino, inode->i_mode);\n+\t\t\tret = -EFSCORRUPTED;\n+\t\t}\n \t\tgoto bad_inode;\n \t}\n \tinode->i_blocks = le32_to_cpu(raw_inode->i_blocks);\n", "prefixes": [] }