[PATCH] ext2 FS corruption in 2.5.3-pre[3-5]

[PATCH] ext2 FS corruption in 2.5.3-pre[3-5]

[Mikael Pettersson]

Al & Linus,

There is a file system corruption problem in 2.5.3-pre[3-5], caused
by leaking uninitialised memory to in-core and later on-disk inodes.

I can easily observe the problem by creating lots of files in an
ext2 FS, reboot to single-user, and fsck the ext2 FS partition.
fsck will then give a lot of warnings about:

"i_fsize for inode NNN (...) is XX, should be zero"

where XX is a random non-zero 8-bit number.

I traced it to the pre2->pre3 transition, which contains:
> - Al Viro: VFS inode allocation moved down to filesystem, trim inodes

When FS-specific data was stored in inode->u, that data was cleared by
the memset() in fs/inode.c:alloc_inode(). The FS didn't have to bother.
Since -pre3, ext2 (and perhaps other FSs, I haven't checked) uses an
in-core inode layout consisting of an FS-specific head followed by the
generic inode. ext2 allocates these in fs/ext2/super.c:ext2_alloc_inode(),
but doesn't clear the ext2-specific fields. fs/inode.c:alloc_inode()
neither knows about these fields nor clears them, so the ext2-specific
data remains uninitialised when the new inode is returned for use. Ouch.

The patch below fixes this by adding the missing memset() to
fs/ext2/super.c:ext2_alloc_inode(). Works fine over here.

/Mikael

--- linux-2.5.3-pre5/fs/ext2/super.c.~1~	Fri Jan 25 00:03:58 2002
+++ linux-2.5.3-pre5/fs/ext2/super.c	Fri Jan 25 00:35:12 2002
@@ -155,6 +155,7 @@
 	ei = (struct ext2_inode_info *)kmem_cache_alloc(ext2_inode_cachep, SLAB_KERNEL);
 	if (!ei)
 		return NULL;
+	memset(ei, 0, offsetof(struct ext2_inode_info, vfs_inode));
 	return &ei->vfs_inode;
 }
 

Re: [PATCH] ext2 FS corruption in 2.5.3-pre[3-5]

[Alexander Viro]

On Fri, 25 Jan 2002, Mikael Pettersson wrote:

> Since -pre3, ext2 (and perhaps other FSs, I haven't checked) uses an
> in-core inode layout consisting of an FS-specific head followed by the
> generic inode. ext2 allocates these in fs/ext2/super.c:ext2_alloc_inode(),
> but doesn't clear the ext2-specific fields. fs/inode.c:alloc_inode()
> neither knows about these fields nor clears them, so the ext2-specific
> data remains uninitialised when the new inode is returned for use. Ouch.
> 
> The patch below fixes this by adding the missing memset() to
> fs/ext2/super.c:ext2_alloc_inode(). Works fine over here.

This is very odd, since ext2_new_inode() and ext2_read_inode() _do_
clean (or otherwise set) them.  Let me check...

Arrgh.  1 missing in ext2_new_inode()  and 1 (harmless) in ext2_read_inode()

--- C3-pre4/fs/ext2/ialloc.c	Wed Jan 23 20:45:32 2002
+++ /tmp/ialloc.c	Thu Jan 24 21:41:52 2002
@@ -392,6 +392,7 @@
 		ei->i_flags &= ~(EXT2_IMMUTABLE_FL|EXT2_APPEND_FL);
 	ei->i_faddr = 0;
 	ei->i_frag_no = 0;
+	ei->i_frag_size = 0;
 	ei->i_osync = 0;
 	ei->i_file_acl = 0;
 	ei->i_dir_acl = 0;

and

--- C3-pre4/fs/ext2/inode.c	Wed Jan 23 20:45:32 2002
+++ /tmp/inode.c	Thu Jan 24 21:44:48 2002
@@ -963,6 +963,7 @@
 	ei->i_frag_size = raw_inode->i_fsize;
 	ei->i_osync = 0;
 	ei->i_file_acl = le32_to_cpu(raw_inode->i_file_acl);
+	ei->i_dir_acl = 0;
 	if (S_ISREG(inode->i_mode))
 		inode->i_size |= ((__u64)le32_to_cpu(raw_inode->i_size_high)) << 32;
 	else

resp.