From: Al Viro <viro@zeniv.linux.org.uk>
To: syzbot <syzbot+320c57a47bdabc1f294b@syzkaller.appspotmail.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
surajsonawane0215@gmail.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] WARNING in minix_unlink
Date: Sun, 24 Nov 2024 20:10:09 +0000 [thread overview]
Message-ID: <20241124201009.GZ3387508@ZenIV> (raw)
In-Reply-To: <20241124194701.GY3387508@ZenIV>
On Sun, Nov 24, 2024 at 07:47:01PM +0000, Al Viro wrote:
> On Sun, Nov 24, 2024 at 11:41:01AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in minix_unlink
>
> Predictably, since the warning has nothing to do with marking an unchanged
> buffer dirty...
>
> What happens there is that on a badly corrupt image we have an on-disk
> inode with link count below the actual number of links. And after
> unlinks remove enough of those to drive the link count to 0, inode
> is freed. After that point, all remaining links are pointing to a freed
> on-disk inode, which is discovered when they need to decrement of link
> count that is already 0. Which does deserve a warning, probably without
> a stack trace.
>
> There's nothing the kernel can do about that, short of scanning the entire
> filesystem at mount time and verifying that link counts are accurate...
Theoretically we could check if there's an associated dentry at the time of
decrement-to-0 and refuse to do that decrement in such case, marking the
in-core inode so that no extra dentries would be associated with it
from that point on. Not sure if that'd make for a good mitigation strategy,
though - and it wouldn't help in case of extra links we hadn't seen by
that point; they would become dangling pointers and reuse of on-disk inode
would still be possible...
next prev parent reply other threads:[~2024-11-24 20:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-22 18:44 [syzbot] [fs?] WARNING in minix_unlink syzbot
2024-11-24 19:13 ` Suraj Sonawane
2024-11-24 19:41 ` syzbot
2024-11-24 19:47 ` Al Viro
2024-11-24 20:10 ` Al Viro [this message]
2024-11-25 3:00 ` Theodore Ts'o
2024-11-25 5:49 ` Suraj Sonawane
2024-11-25 5:47 ` Suraj Sonawane
2026-01-12 4:24 ` syzbot
2026-01-12 11:50 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241124201009.GZ3387508@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=surajsonawane0215@gmail.com \
--cc=syzbot+320c57a47bdabc1f294b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.