From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Theodore Tso <tytso@mit.edu>
Subject: [PATCH 3.14 17/23] ext4: fix hang when processing corrupted orphaned inode list
Date: Sun, 5 Jun 2016 14:40:17 -0700 [thread overview]
Message-ID: <20160605213828.690328468@linuxfoundation.org> (raw)
In-Reply-To: <20160605213826.938892115@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o <tytso@mit.edu>
commit c9eb13a9105e2e418f72e46a2b6da3f49e696902 upstream.
If the orphaned inode list contains inode #5, ext4_iget() returns a
bad inode (since the bootloader inode should never be referenced
directly). Because of the bad inode, we end up processing the inode
repeatedly and this hangs the machine.
This can be reproduced via:
mke2fs -t ext4 /tmp/foo.img 100
debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
mount -o loop /tmp/foo.img /mnt
(But don't do this if you are using an unpatched kernel if you care
about the system staying functional. :-)
This bug was found by the port of American Fuzzy Lop into the kernel
to find file system problems[1]. (Since it *only* happens if inode #5
shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
surprising that AFL needed two hours before it found it.)
[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
Reported by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ialloc.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1097,11 +1097,13 @@ struct inode *ext4_orphan_get(struct sup
goto iget_failed;
/*
- * If the orphans has i_nlinks > 0 then it should be able to be
- * truncated, otherwise it won't be removed from the orphan list
- * during processing and an infinite loop will result.
+ * If the orphans has i_nlinks > 0 then it should be able to
+ * be truncated, otherwise it won't be removed from the orphan
+ * list during processing and an infinite loop will result.
+ * Similarly, it must not be a bad inode.
*/
- if (inode->i_nlink && !ext4_can_truncate(inode))
+ if ((inode->i_nlink && !ext4_can_truncate(inode)) ||
+ is_bad_inode(inode))
goto bad_orphan;
if (NEXT_ORPHAN(inode) > max_ino)
next prev parent reply other threads:[~2016-06-05 21:40 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-05 21:40 [PATCH 3.14 00/23] 3.14.72-stable review Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 01/23] MIPS: math-emu: Fix jalr emulation when rd == $0 Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 02/23] MIPS: Fix siginfo.h to use strict posix types Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 03/23] MIPS: ath79: make bootconsole wait for both THRE and TEMT Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 04/23] Input: uinput - handle compat ioctl for UI_SET_PHYS Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 05/23] ath5k: Change led pin configuration for compaq c700 laptop Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 06/23] aacraid: Relinquish CPU during timeout wait Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 07/23] aacraid: Fix for aac_command_thread hang Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 08/23] cpuidle: Indicate when a device has been unregistered Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 09/23] PCI: Disable all BAR sizing for devices with non-compliant BARs Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 10/23] rtlwifi: Fix logic error in enter/exit power-save mode Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 11/23] pipe: Fix buffer offset after partially failed read Greg Kroah-Hartman
2016-06-07 13:50 ` Jiri Slaby
2016-06-07 14:42 ` Ben Hutchings
2016-06-05 21:40 ` [PATCH 3.14 12/23] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 13/23] xen/events: Dont move disabled irqs Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 15/23] drm/gma500: Fix possible out of bounds read Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 16/23] drm/fb_helper: Fix references to dev->mode_config.num_connector Greg Kroah-Hartman
2016-06-05 21:40 ` Greg Kroah-Hartman [this message]
2016-06-05 21:40 ` [PATCH 3.14 18/23] ext4: address UBSAN warning in mb_find_order_for_block() Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 19/23] ext4: silence UBSAN in ext4_mb_init() Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 21/23] xfs: xfs_iflush_cluster fails to abort on error Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 22/23] xfs: fix inode validity check in xfs_iflush_cluster Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 23/23] xfs: skip stale inodes " Greg Kroah-Hartman
2016-06-06 17:26 ` [PATCH 3.14 00/23] 3.14.72-stable review Shuah Khan
2016-06-08 0:21 ` Greg Kroah-Hartman
2016-06-07 3:49 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160605213828.690328468@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).