{"id":2218866,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2218866/?format=json","project":{"id":8,"url":"http://patchwork.ozlabs.org/api/1.0/projects/8/?format=json","name":"Linux ext4 filesystem development","link_name":"linux-ext4","list_id":"linux-ext4.vger.kernel.org","list_email":"linux-ext4@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260401220837.2424925-2-kovalev@altlinux.org>","date":"2026-04-01T22:08:36","name":"[1/2] ext2: validate i_nlink before decrement in ext2_unlink()","commit_ref":null,"pull_url":null,"state":"not-applicable","archived":false,"hash":"9782425d8ae2cea928a4fbe67d55d654847252ea","submitter":{"id":86433,"url":"http://patchwork.ozlabs.org/api/1.0/people/86433/?format=json","name":"Vasiliy Kovalev","email":"kovalev@altlinux.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-ext4/patch/20260401220837.2424925-2-kovalev@altlinux.org/mbox/","series":[{"id":498405,"url":"http://patchwork.ozlabs.org/api/1.0/series/498405/?format=json","date":"2026-04-01T22:08:37","name":"ext2: fix WARN_ON in drop_nlink() triggered by corrupt images","version":1,"mbox":"http://patchwork.ozlabs.org/series/498405/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2218866/checks/","tags":{},"headers":{"Return-Path":"\n <SRS0=zNiy=CA=vger.kernel.org=linux-ext4+bounces-15595-patchwork-incoming=ozlabs.org@ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-ext4@vger.kernel.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","patchwork-incoming@ozlabs.org"],"Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=2404:9400:2221:ea00::3; helo=mail.ozlabs.org;\n envelope-from=srs0=zniy=ca=vger.kernel.org=linux-ext4+bounces-15595-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)","gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=\"2600:3c0a:e001:db::12fc:5321\"\n arc.chain=subspace.kernel.org","gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org","gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15595-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=193.43.8.18","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=altlinux.org"],"Received":["from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmK5v3gK6z1yFv\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 02 Apr 2026 09:14:27 +1100 (AEDT)","from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4fmK5v3CTNz4x4X\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 02 Apr 2026 09:14:27 +1100 (AEDT)","by gandalf.ozlabs.org (Postfix)\n\tid 4fmK5v390Dz4xGn; Thu, 02 Apr 2026 09:14:27 +1100 (AEDT)","from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4fmK5q6y1pz4x4X\n\tfor <patchwork-incoming@ozlabs.org>; Thu, 02 Apr 2026 09:14:23 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id E059D3094861\n\tfor <patchwork-incoming@ozlabs.org>; Wed,  1 Apr 2026 22:08:53 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C693A348452;\n\tWed,  1 Apr 2026 22:08:51 +0000 (UTC)","from air.basealt.ru (air.basealt.ru [193.43.8.18])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 774203446DE;\n\tWed,  1 Apr 2026 22:08:47 +0000 (UTC)","from altlinux.ipa.basealt.ru (unknown [193.43.11.2])\n\t(Authenticated sender: kovalevvv)\n\tby air.basealt.ru (Postfix) with ESMTPSA id 3DBA1233AE;\n\tThu,  2 Apr 2026 01:08:39 +0300 (MSK)"],"ARC-Seal":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1775081667; cv=pass;\n\tb=yP9qS1HrgndFwVo04r1v49BjN/CHyGg4jLtpcdv9qVZgl3oDCpaF8GO3C9suuI3FHspmpCi2M9Gc0ovNUcL2N5Z4/8tLRMNHWkoFgiDKe6HdCV1IYIr5zEr3MwrF1+8b9Jm+gRD083HAYITFMdmo16AjNxcpP7RZs8QdEvn/KQ69cT12WHtteU7QQCJ0pwMjDgbzBcyxpiBTik8/1dvHwmjDzwiXQyq8O/MSiKz6yXlkmjcbwDkDjkSVN3zgUtDcWiVwUibHQBC4iZPb9n82Y7R64vNZexVRqnysqzDBnDRI36YIsZVJePWbeSxOpIeqTRrMaDskejRjWrpA/NE64w==","i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775081331; cv=none;\n b=o67KHcn4ahua4uyYfWiLWnzbSS4INoI61nQATZlirc2BxLrWEs/4xYMyza05MAXgGtuUhf+UpRYMsrJbR/XdBZ2D4ThoHZu1XDC/y7J7LFskduaPjVU7Ef6KcJI0MyK/fRDoF/ykVGdRsrPbjXO3VzG0Jkn7eSn7bvTnsqHHOsk="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1775081667; c=relaxed/relaxed;\n\tbh=/YE5cY1ChZGmFVUggROnQZNs3xFjYrWRKygPxXSy8uo=;\n\th=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:\n\t MIME-Version;\n b=kTjMwoqXS9D+BJ0YeKxmgEfcuZaDBAFv0n/Yrl/hV3oTVPyrgUIEgUJ0dno2ysweMGbj5ZUEguhwn/b5NYKZ7RU0/g2lSBCmGKfvJrvQUqCoHgA3o22jFkqqjeRVwKL7lip+ry5teKK94rSELQLAiPwiY0r+kybxxuZ5FOFHS/XQSmmVpOWIFmOCezb9/5ceH3qGWu/6CgmkdhcrMru1qcCxek6IiLuQ787tIhErzabCZuiSxTape3Rn27rjrnVtRMnwXcE4QSCD1zyzujFOjwMYuNM2B3CwFmbNWl4ZMjZUrVjkc7DZLP5+DPmUImdApSVWfUGI/c5K0nS2cKN32g==","i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775081331; c=relaxed/simple;\n\tbh=Z9K8w6s7V5HknpBmPPcvfXamNo3gWLvI6pJ1a5aaw2c=;\n\th=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:\n\t MIME-Version;\n b=iyHmiXYxLhETBXEaqKUPLyfj0TLutXhQlwE+kcCii/n44bg/VFScb735LoUB4nEbebateIiMmlI3zrLr0/HXYyw0ETb9o/pupGw9TfVfQyQpu1zS1Wl8i2Yztjy3z7VS3Byh0GUMGP0nL8BnbiAumQICCFdKBIG6KW1ZNA0ieB0="],"ARC-Authentication-Results":["i=2; gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15595-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org","i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=193.43.8.18"],"From":"Vasiliy Kovalev <kovalev@altlinux.org>","To":"Jan Kara <jack@suse.com>,\n\tAndrew Morton <akpm@osdl.org>,\n\tAlexey Dobriyan <adobriyan@gmail.com>,\n\tlinux-ext4@vger.kernel.org","Cc":"linux-kernel@vger.kernel.org,\n\tlvc-project@linuxtesting.org,\n\tkovalev@altlinux.org","Subject":"[PATCH 1/2] ext2: validate i_nlink before decrement in ext2_unlink()","Date":"Thu,  2 Apr 2026 01:08:36 +0300","Message-Id":"<20260401220837.2424925-2-kovalev@altlinux.org>","X-Mailer":"git-send-email 2.33.8","In-Reply-To":"<20260401220837.2424925-1-kovalev@altlinux.org>","References":"<20260401220837.2424925-1-kovalev@altlinux.org>","Precedence":"bulk","X-Mailing-List":"linux-ext4@vger.kernel.org","List-Id":"<linux-ext4.vger.kernel.org>","List-Subscribe":"<mailto:linux-ext4+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-ext4+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spam-Status":"No, score=-1.1 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,\n\tSPF_HELO_NONE,SPF_PASS autolearn=disabled version=4.0.1","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org"},"content":"A crafted ext2 image can provide a directory entry pointing to an inode\nwith i_links_count == 0 on disk. Calling unlink() on such an entry\ntriggers WARN_ON inside drop_nlink():\n\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295\n vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\n do_unlinkat+0x53e/0x730 fs/namei.c:4541\n __do_sys_unlink fs/namei.c:4589 [inline]\n __se_sys_unlink fs/namei.c:4587 [inline]\n __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\n do_syscall_x64 arch/x86/entry/common.c:47 [inline]\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nAt the point of the crash, ext2_delete_entry() has already committed\nthe removal of the directory entry to disk, so returning an error is\nnot an option. Instead, skip the decrement and report the corruption\nvia ext2_error(), which marks the superblock as having errors. The\ninode will be reclaimed when its last reference is dropped.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\nCc: stable@vger.kernel.org\nFixes: a513b035eadf (\"[PATCH] ext2: switch to inode_inc_count, inode_dec_count\")\nSigned-off-by: Vasiliy Kovalev <kovalev@altlinux.org>\n---\n fs/ext2/namei.c | 7 ++++++-\n 1 file changed, 6 insertions(+), 1 deletion(-)","diff":"diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c\nindex bde617a66cec..ea49e8f2b292 100644\n--- a/fs/ext2/namei.c\n+++ b/fs/ext2/namei.c\n@@ -293,7 +293,12 @@ static int ext2_unlink(struct inode *dir, struct dentry *dentry)\n \t\tgoto out;\n \n \tinode_set_ctime_to_ts(inode, inode_get_ctime(dir));\n-\tinode_dec_link_count(inode);\n+\tif (!inode->i_nlink)\n+\t\text2_error(inode->i_sb, __func__,\n+\t\t\t   \"inode %lu has zero i_nlink on unlink, fs may be corrupt\",\n+\t\t\t   inode->i_ino);\n+\telse\n+\t\tinode_dec_link_count(inode);\n \terr = 0;\n out:\n \treturn err;\n","prefixes":["1/2"]}