[lvc-project] [PATCH 0/2] ext2: fix WARN_ON in drop_nlink() triggered by corrupt images
Vasiliy Kovalev
kovalev at altlinux.org
Sat Apr 4 18:27:37 MSK 2026
On 4/2/26 01:08, Vasiliy Kovalev wrote:
> A crafted ext2 image can contain a directory entry pointing to an inode
> whose on-disk i_links_count is zero. ext2 mounts such an image without
> error. Any subsequent syscall that decrements i_nlink on that inode
> triggers WARN_ON inside drop_nlink() in fs/inode.c.
>
> These patches prevent the warning by validating i_nlink before decrementing
> it in ext2_unlink() and ext2_rename(), reporting the corruption via
> ext2_error() instead.
>
> The issues were found by Linux Verification Center (linuxtesting.org)
> with Syzkaller.
>
> Vasiliy Kovalev (2):
> ext2: validate i_nlink before decrement in ext2_unlink()
> ext2: guard against zero i_nlink on new_inode in ext2_rename()
Syzkaller found a third trigger via ext2_rmdir(). Rather than adding
another guard in namei.c, I fixed the root cause in ext2_iget() instead
- a single check there covers all three cases at once.
New patch:
https://lore.kernel.org/all/20260404152011.2590197-1-kovalev@altlinux.org/
If the previous two patches have not been picked up yet, please
consider this one as a replacement for the entire series.
> fs/ext2/namei.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> --- [Reproducer for PATCH 1/2: ext2_unlink] ---
> [...]
>
> --- [Reproducer for PATCH 2/2: ext2_rename] ---
> [...]
--
Thanks,
Vasiliy
More information about the lvc-project
mailing list