Re: [PATCH] ocfs2: Add a sanity check for corrupted file system.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Julian Sun <sunjunchao2870@gmail.com>
To: Joseph Qi <joseph.qi@linux.alibaba.com>,
	ocfs2-devel@lists.linux.dev,  linux-kernel@vger.kernel.org
Cc: mark@fasheh.com, jlbec@evilplan.org,
	sunjunchao <sunjunchao@zspace.cn>,
	 syzbot+2313dda4dc4885c93578@syzkaller.appspotmail.com
Subject: Re: [PATCH] ocfs2: Add a sanity check for corrupted file system.
Date: Tue, 31 Dec 2024 16:14:32 +0800	[thread overview]
Message-ID: <e63add409dc9fa30c3f1461c7a32e73acdd3cd0e.camel@gmail.com> (raw)
In-Reply-To: <df33d96d-e8fb-4de9-99cd-f21e0eee8195@linux.alibaba.com>

On Tue, 2024-12-31 at 15:16 +0800, Joseph Qi wrote:
> 
> 
> On 2024/12/10 21:08, sunjunchao wrote:
> > Hi,
> > 
> > Recently syzbot reported a use-after-free issue[1].
> > 
> > The root cause of the problem is that the journal
> > inode recorded in this file system image is corrupted.
> > The value of "di->id2.i_list.l_next_free_rec" is 8193,
> > which is greater than the value of "di->id2.i_list.l_count" (19).
> > 
> > To solve this problem, an additional check should be added
> > during the validity check. If the check fails, an error will
> > be returned and the file system will be set to read-only.
> > Also correct the l_next_free_rec value if online check is triggered,
> > same as what fsck.ocfs2 does.
> > 
> > [1]: https://lore.kernel.org/all/67577778.050a0220.a30f1.01bc.GAE@google.com/T/
> > 
> > Reported-and-tested-by: syzbot+2313dda4dc4885c93578@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=2313dda4dc4885c93578
> > Signed-off-by: sunjunchao <sunjunchao@zspace.cn>
> > ---
> >  fs/ocfs2/inode.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 44 insertions(+)
> > 
> > diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
> > index 2cc5c99fe941..d3df54467d73 100644
> > --- a/fs/ocfs2/inode.c
> > +++ b/fs/ocfs2/inode.c
> > @@ -1358,6 +1358,21 @@ void ocfs2_refresh_inode(struct inode *inode,
> >         spin_unlock(&OCFS2_I(inode)->ip_lock);
> >  }
> >  
> > +static int has_extents(struct ocfs2_dinode *di)
> > +{
> > +       /* inodes flagged with other stuff in id2 */
> > +       if (di->i_flags & (OCFS2_SUPER_BLOCK_FL | OCFS2_LOCAL_ALLOC_FL |
> > +                          OCFS2_CHAIN_FL | OCFS2_DEALLOC_FL))
> > +               return 0;
> > +       /* i_flags doesn't indicate when id2 is a fast symlink */
> > +       if (S_ISLNK(di->i_mode) && di->i_size && di->i_clusters == 0)
> > +               return 0;
> > +       if (di->i_dyn_features & OCFS2_INLINE_DATA_FL)
> > +               return 0;
> > +
> > +       return 1;
> > +}
> > +
> >  int ocfs2_validate_inode_block(struct super_block *sb,
> >                                struct buffer_head *bh)
> >  {
> > @@ -1386,6 +1401,15 @@ int ocfs2_validate_inode_block(struct super_block *sb,
> >  
> >         rc = -EINVAL;
> >  
> > +       if (has_extents(di) && le16_to_cpu(di->id2.i_list.l_next_free_rec) >
> 
> Seems has_extent() is used to identify type of extent list?

Exactly, actually it was adapted from ocfs2_tools.

> IMO, ocfs2_validate_inode_block() is a common validation function, so I
> don't it is proper to check extent list here.
> So how about add the check into ocfs2_get_clusters_nocache()?

Sure, this makes it clearer and more straightforward, will fix it in next version.

> 
> > +           le16_to_cpu(di->id2.i_list.l_count)) {
> > +               rc = ocfs2_error(sb, "corrupted dinode #%llu: next_free_rec is %u, count is %u\n",
> > +                                (unsigned long long)bh->b_blocknr,
> > +                                le16_to_cpu(di->id2.i_list.l_next_free_rec),
> > +                                le16_to_cpu(di->id2.i_list.l_count));
> > +               goto bail;
> > +       }
> > +
> >         if (!OCFS2_IS_VALID_DINODE(di)) {
> >                 rc = ocfs2_error(sb, "Invalid dinode #%llu: signature = %.*s\n",
> >                                  (unsigned long long)bh->b_blocknr, 7,
> > @@ -1483,6 +1507,16 @@ static int ocfs2_filecheck_validate_inode_block(struct super_block *sb,
> >                 rc = -OCFS2_FILECHECK_ERR_GENERATION;
> >         }
> >  
> > +       if (has_extents(di) && le16_to_cpu(di->id2.i_list.l_next_free_rec) >
> > +           le16_to_cpu(di->id2.i_list.l_count)) {
> > +               mlog(ML_ERROR,
> > +                    "Filecheck: invalid dinode #%llu: l_next_free_rec is %u, l_count is %u\n",
> > +                    (unsigned long long)bh->b_blocknr,
> > +                    le16_to_cpu(di->id2.i_list.l_next_free_rec),
> > +                    le16_to_cpu(di->id2.i_list.l_count));
> > +               rc = -OCFS2_FILECHECK_ERR_FAILED;
> > +       }
> > +
> >  bail:
> >         return rc;
> >  }
> > @@ -1547,6 +1581,16 @@ static int ocfs2_filecheck_repair_inode_block(struct super_block *sb,
> >                      le32_to_cpu(di->i_fs_generation));
> >         }
> >  
> > +       if (has_extents(di) && le16_to_cpu(di->id2.i_list.l_next_free_rec) >
> > +           le16_to_cpu(di->id2.i_list.l_count)) {
> > +               di->id2.i_list.l_next_free_rec = di->id2.i_list.l_count;
> > +               changed = 1;
> > +               mlog(ML_ERROR,
> > +                    "Filecheck: reset dinode #%llu: l_next_free_rec to %u\n",
> > +                    (unsigned long long)bh->b_blocknr,
> > +                    le16_to_cpu(di->id2.i_list.l_next_free_rec));
> > +       }
> > +
> 
> For file check, I'd like to post it as a separate patch.

Yes, this is exactly how it should be.
Thanks for your review and comments.

> 
> Thanks,
> Joseph
> 
> >         if (changed || ocfs2_validate_meta_ecc(sb, bh->b_data, &di->i_check)) {
> >                 ocfs2_compute_meta_ecc(sb, bh->b_data, &di->i_check);
> >                 mark_buffer_dirty(bh);
> 

Thanks.
-- 
Julian Sun <sunjunchao2870@gmail.com>

     prev parent reply	other threads:[~2024-12-31  8:14 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-10 13:08 [PATCH] ocfs2: Add a sanity check for corrupted file system sunjunchao
2024-12-31  7:16 ` Joseph Qi
2024-12-31  8:14   ` Julian Sun [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e63add409dc9fa30c3f1461c7a32e73acdd3cd0e.camel@gmail.com \
    --to=sunjunchao2870@gmail.com \
    --cc=jlbec@evilplan.org \
    --cc=joseph.qi@linux.alibaba.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark@fasheh.com \
    --cc=ocfs2-devel@lists.linux.dev \
    --cc=sunjunchao@zspace.cn \
    --cc=syzbot+2313dda4dc4885c93578@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox