{"id":2219816,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2219816/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-ext4/patch/20260404152011.2590197-1-kovalev@altlinux.org/","project":{"id":8,"url":"http://patchwork.ozlabs.org/api/1.2/projects/8/?format=json","name":"Linux ext4 filesystem development","link_name":"linux-ext4","list_id":"linux-ext4.vger.kernel.org","list_email":"linux-ext4@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260404152011.2590197-1-kovalev@altlinux.org>","list_archive_url":null,"date":"2026-04-04T15:20:11","name":"ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"cae46b8f7c36ddb726178e0e100bb0991e33b3b0","submitter":{"id":86433,"url":"http://patchwork.ozlabs.org/api/1.2/people/86433/?format=json","name":"Vasiliy Kovalev","email":"kovalev@altlinux.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-ext4/patch/20260404152011.2590197-1-kovalev@altlinux.org/mbox/","series":[{"id":498733,"url":"http://patchwork.ozlabs.org/api/1.2/series/498733/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-ext4/list/?series=498733","date":"2026-04-04T15:20:11","name":"ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()","version":1,"mbox":"http://patchwork.ozlabs.org/series/498733/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2219816/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2219816/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <SRS0=FTj9=CD=vger.kernel.org=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@ozlabs.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-ext4@vger.kernel.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","patchwork-incoming@ozlabs.org"],"Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=150.107.74.76; helo=mail.ozlabs.org;\n envelope-from=srs0=ftj9=cd=vger.kernel.org=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)","gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=\"2600:3c04:e001:36c::12fc:5321\"\n arc.chain=subspace.kernel.org","gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org","gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=193.43.8.18","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=altlinux.org"],"Received":["from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnzn106m6z1yCs\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 05 Apr 2026 02:20:36 +1100 (AEDT)","from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4fnzn03HVLz4wDS\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 05 Apr 2026 02:20:36 +1100 (AEDT)","by gandalf.ozlabs.org (Postfix)\n\tid 4fnzn039YZz4wJ8; Sun, 05 Apr 2026 02:20:36 +1100 (AEDT)","from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4fnzmw1wf1z4wDS\n\tfor <patchwork-incoming@ozlabs.org>; Sun, 05 Apr 2026 02:20:32 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 9E0BE300B3D8\n\tfor <patchwork-incoming@ozlabs.org>; Sat,  4 Apr 2026 15:20:29 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id CE3E128CF5D;\n\tSat,  4 Apr 2026 15:20:25 +0000 (UTC)","from air.basealt.ru (air.basealt.ru [193.43.8.18])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id CAC0A277026;\n\tSat,  4 Apr 2026 15:20:22 +0000 (UTC)","from altlinux.ipa.basealt.ru (unknown [193.43.11.2])\n\t(Authenticated sender: kovalevvv)\n\tby air.basealt.ru (Postfix) with ESMTPSA id F2FA123372;\n\tSat,  4 Apr 2026 18:20:12 +0300 (MSK)"],"ARC-Seal":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1775316036; cv=pass;\n\tb=uK/EoaS8Mmsme3eYFUcdenWcZaSbVOoho1x4YcSKS9+kg07x4O9iTNOxNh+Qjivr4ENyyI7ULDNowNs8U0+Xsshu0Q+gHAsN4/vB0TAilaD87pHYwfggo4A1AFAy/2UjmvjDXllRZPDi3sj+IJzlwq5CnzhAqU6lEH0IEmHYvlYTIpmvpG12VTO2x+bPnNNObCZpkNehJnou3QIbrqvzm+0jngd6t6h35kizbN340u3CqPrtjFCk6ocMIg/dgaXOXcbhGGIzNahTeT/i5C/2uH3aiJHOjh8WeX9484b/yIt7PGdgGRBflXCHJpKntrU7PWWfD+Gf1k2IbVzVQT++PQ==","i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775316025; cv=none;\n b=J9B3jlSqnpuCzRntBQ2uumsqkRY48Cbi7meXE2VErwpUOmM0VX6IosZkoV20NAkZ/BTkXTbzErD74rtVQps8aeAMw+iegBWJgCj6+RYynM8DnRNUBiwqdDjGu/vo97Tkdy66BsOQPwSa6GBIeWAWsCb6GsJTnhAXLeDoPWsOesk="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1775316036; c=relaxed/relaxed;\n\tbh=2qUeqzcmtJL3oDVjHm1ERXcEikcG3zIv3SebLoxMWNM=;\n\th=From:To:Cc:Subject:Date:Message-Id:MIME-Version;\n b=KDoIbSkAFmo7Vj+yNfpj08PZKyr61ZD6kAS5o428IXlxpzcEJTusfEgZ3mDz6Pk5VfT0JvFbJEfx7hBACENfnJAAnMR7ntKyFSuneNZvAMiWAOELfWoVA2ojKriIrxcYMcS36wVR5xrCC2vKyKJs6KMcSrDOJgDN5JnmU76snBCug68Ab0a9lWMJ7w/gABK8zuTo3PGIBfM6060pOH2vEd8i2hA8ii141tU44Zz3ysA0EN7ALdOfYKl77Axj9JlAtNlcBTCgXbXqbCh6uOqb2Q9zs8Utu02B7mtPfeCq/AXqxy4e8Bre1Ur/0Z2V4Jue8qJCKffWBMgjjcRDJZOy9w==","i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775316025; c=relaxed/simple;\n\tbh=tYSMBNByKr+z9h6uIYZ2DGG1o9YGIs77Rau0MOUuVpw=;\n\th=From:To:Cc:Subject:Date:Message-Id:MIME-Version;\n b=nNLRQuiZ5IA+JyHQa7RRzC8wMMfw/IbDU99UPE/7NgDyK1EPkOGdzjRpuqS46OGOu23sxh5tt+2uguEZSUJhBhSnlcNO0tk5L9RCG4cw0QSLvr8S/XQbJrJaa/AgRCZ8deUiNiV2lXSLJb/AfQw+oFTd5zOnKlcrLGNDeHjnwT8="],"ARC-Authentication-Results":["i=2; gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15639-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org","i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=altlinux.org;\n spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=193.43.8.18"],"From":"Vasiliy Kovalev <kovalev@altlinux.org>","To":"Jan Kara <jack@suse.com>,\n\tlinux-ext4@vger.kernel.org","Cc":"Andrew Morton <akpm@osdl.org>,\n\tAlexey Dobriyan <adobriyan@gmail.com>,\n\tlinux-kernel@vger.kernel.org,\n\tlvc-project@linuxtesting.org,\n\tkovalev@altlinux.org","Subject":"[PATCH] ext2: reject inodes with zero i_nlink and valid mode in\n ext2_iget()","Date":"Sat,  4 Apr 2026 18:20:11 +0300","Message-Id":"<20260404152011.2590197-1-kovalev@altlinux.org>","X-Mailer":"git-send-email 2.33.8","Precedence":"bulk","X-Mailing-List":"linux-ext4@vger.kernel.org","List-Id":"<linux-ext4.vger.kernel.org>","List-Subscribe":"<mailto:linux-ext4+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-ext4+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-Spam-Status":"No, score=-1.1 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDMARC_MISSING,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,\n\tSPF_HELO_NONE,SPF_PASS autolearn=disabled version=4.0.1","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org"},"content":"ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is\nzero or i_dtime is set, treating them as deleted. However, the case of\ni_nlink == 0 with a non-zero mode and zero dtime slips through. Since\next2 has no orphan list, such a combination can only result from\nfilesystem corruption - a legitimate inode deletion always sets either\ni_dtime or clears i_mode before freeing the inode.\n\nA crafted image can exploit this gap to present such an inode to the\nVFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via\next2_unlink(), ext2_rename() and ext2_rmdir():\n\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295\n vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\n do_unlinkat+0x53e/0x730 fs/namei.c:4541\n __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nWARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rename+0x35e/0x850 fs/ext2/namei.c:374\n vfs_rename+0xf2f/0x2060 fs/namei.c:5021\n do_renameat2+0xbe2/0xd50 fs/namei.c:5178\n __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nWARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311\n vfs_rmdir+0x204/0x690 fs/namei.c:4348\n do_rmdir+0x372/0x3e0 fs/namei.c:4407\n __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nExtend the existing i_nlink == 0 check to also catch this case,\nreporting the corruption via ext2_error() and returning -EFSCORRUPTED.\nThis rejects the inode at load time and prevents it from reaching any\nof the namei.c paths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\nFixes: 1da177e4c3f4 (\"Linux-2.6.12-rc2\")\nCc: stable@vger.kernel.org\nSigned-off-by: Vasiliy Kovalev <kovalev@altlinux.org>\n---\n fs/ext2/inode.c | 14 +++++++++++---\n 1 file changed, 11 insertions(+), 3 deletions(-)","diff":"diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c\nindex dbfe9098a124..39d972722f5f 100644\n--- a/fs/ext2/inode.c\n+++ b/fs/ext2/inode.c\n@@ -1430,9 +1430,17 @@ struct inode *ext2_iget (struct super_block *sb, unsigned long ino)\n \t * the test is that same one that e2fsck uses\n \t * NeilBrown 1999oct15\n \t */\n-\tif (inode->i_nlink == 0 && (inode->i_mode == 0 || ei->i_dtime)) {\n-\t\t/* this inode is deleted */\n-\t\tret = -ESTALE;\n+\tif (inode->i_nlink == 0) {\n+\t\tif (inode->i_mode == 0 || ei->i_dtime) {\n+\t\t\t/* this inode is deleted */\n+\t\t\tret = -ESTALE;\n+\t\t} else {\n+\t\t\text2_error(sb, __func__,\n+\t\t\t\t   \"inode %lu has zero i_nlink with mode 0%o and no dtime, \"\n+\t\t\t\t   \"filesystem may be corrupt\",\n+\t\t\t\t   ino, inode->i_mode);\n+\t\t\tret = -EFSCORRUPTED;\n+\t\t}\n \t\tgoto bad_inode;\n \t}\n \tinode->i_blocks = le32_to_cpu(raw_inode->i_blocks);\n","prefixes":[]}