From: Al Viro <viro@zeniv.linux.org.uk>
To: syzbot <syzbot+320c57a47bdabc1f294b@syzkaller.appspotmail.com>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
surajsonawane0215@gmail.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] WARNING in minix_unlink
Date: Sun, 24 Nov 2024 20:10:09 +0000 [thread overview]
Message-ID: <20241124201009.GZ3387508@ZenIV> (raw)
In-Reply-To: <20241124194701.GY3387508@ZenIV>
On Sun, Nov 24, 2024 at 07:47:01PM +0000, Al Viro wrote:
> On Sun, Nov 24, 2024 at 11:41:01AM -0800, syzbot wrote:
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > WARNING in minix_unlink
>
> Predictably, since the warning has nothing to do with marking an unchanged
> buffer dirty...
>
> What happens there is that on a badly corrupt image we have an on-disk
> inode with link count below the actual number of links. And after
> unlinks remove enough of those to drive the link count to 0, inode
> is freed. After that point, all remaining links are pointing to a freed
> on-disk inode, which is discovered when they need to decrement of link
> count that is already 0. Which does deserve a warning, probably without
> a stack trace.
>
> There's nothing the kernel can do about that, short of scanning the entire
> filesystem at mount time and verifying that link counts are accurate...
Theoretically we could check if there's an associated dentry at the time of
decrement-to-0 and refuse to do that decrement in such case, marking the
in-core inode so that no extra dentries would be associated with it
from that point on. Not sure if that'd make for a good mitigation strategy,
though - and it wouldn't help in case of extra links we hadn't seen by
that point; they would become dangling pointers and reuse of on-disk inode
would still be possible...
next prev parent reply other threads:[~2024-11-24 20:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-22 18:44 [syzbot] [fs?] WARNING in minix_unlink syzbot
2024-11-24 19:13 ` Suraj Sonawane
2024-11-24 19:41 ` syzbot
2024-11-24 19:47 ` Al Viro
2024-11-24 20:10 ` Al Viro [this message]
2024-11-25 3:00 ` Theodore Ts'o
2024-11-25 5:49 ` Suraj Sonawane
2024-11-25 5:47 ` Suraj Sonawane
2026-01-12 4:24 ` syzbot
2026-01-12 11:50 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241124201009.GZ3387508@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=surajsonawane0215@gmail.com \
--cc=syzbot+320c57a47bdabc1f294b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox