Re: [syzbot] [fs?] WARNING in minix_unlink

public inbox for linux-fsdevel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Theodore Ts'o" <tytso@mit.edu>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: syzbot <syzbot+320c57a47bdabc1f294b@syzkaller.appspotmail.com>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	surajsonawane0215@gmail.com, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [fs?] WARNING in minix_unlink
Date: Sun, 24 Nov 2024 17:00:58 -1000	[thread overview]
Message-ID: <20241125030058.GE3874922@mit.edu> (raw)
In-Reply-To: <20241124201009.GZ3387508@ZenIV>

On Sun, Nov 24, 2024 at 08:10:09PM +0000, Al Viro wrote:
> > What happens there is that on a badly corrupt image we have an on-disk
> > inode with link count below the actual number of links.  And after
> > unlinks remove enough of those to drive the link count to 0, inode
> > is freed.  After that point, all remaining links are pointing to a freed
> > on-disk inode, which is discovered when they need to decrement of link
> > count that is already 0.  Which does deserve a warning, probably without
> > a stack trace.
> > 
> > There's nothing the kernel can do about that, short of scanning the entire
> > filesystem at mount time and verifying that link counts are accurate...
> 
> Theoretically we could check if there's an associated dentry at the time of
> decrement-to-0 and refuse to do that decrement in such case, marking the
> in-core inode so that no extra dentries would be associated with it
> from that point on.  Not sure if that'd make for a good mitigation strategy,
> though - and it wouldn't help in case of extra links we hadn't seen by
> that point; they would become dangling pointers and reuse of on-disk inode
> would still be possible...

Yeah, what we do with ext4 in that case is that we mark the file
system as corrupted, and print an ext4_error() message, but we don't
call WARN_ON.  At this point, you cam either (a) force a reboot, so
that it can get fixed up at fsck time --- this might be appropriate if
you have a failover setup, where bringing the system *down* so the
backup system can do its thing without further corrupting user data,
(b) remount the file system read-only, so that you don't actually do
any further damage to the system, or (c) if the file system is marked
"don't worry, be happy, continue running because some silly security
policy says that bringing the system down is a denial of service
attack and we can't have that (**sigh**), it might be a good idea to
mark the block group as "corrupted" and refuse to do any further block
or inode allocations out of that block group until the file system can
be properly checked.

Anyway, this is why I now ignore any syzkaller report that involves a
badly corrupted file system being mounted.  That's not something I
consider a valid threat model, and if someone wants to pay an engineer
to work through all of those issues, *great*, but I don't have the
time to deal with what I consider a super-low-priority issue.

					- Ted

next prev parent reply	other threads:[~2024-11-25  3:01 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-22 18:44 [syzbot] [fs?] WARNING in minix_unlink syzbot
2024-11-24 19:13 ` Suraj Sonawane
2024-11-24 19:41   ` syzbot
2024-11-24 19:47     ` Al Viro
2024-11-24 20:10       ` Al Viro
2024-11-25  3:00         ` Theodore Ts'o [this message]
2024-11-25  5:49           ` Suraj Sonawane
2024-11-25  5:47         ` Suraj Sonawane
2026-01-12  4:24 ` syzbot
2026-01-12 11:50   ` Jan Kara

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241125030058.GE3874922@mit.edu \
    --to=tytso@mit.edu \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=surajsonawane0215@gmail.com \
    --cc=syzbot+320c57a47bdabc1f294b@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox