Re: [PATCH 0/2] ext2: fix WARN_ON in drop_nlink() triggered by corrupt images

Next message: syzbot: "Re: [syzbot] [ntfs3?] INFO: task hung in freeze_super (7)"
Previous message: Thomas Wei&#xDF;schuh: "[PATCH] tools/nolibc: make __nolibc_enosys() a compile time error"
In reply to: Vasiliy Kovalev: "[PATCH 1/2] ext2: validate i_nlink before decrement in ext2_unlink()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vasiliy Kovalev

Date: Sat Apr 04 2026 - 11:27:52 EST

On 4/2/26 01:08, Vasiliy Kovalev wrote:

A crafted ext2 image can contain a directory entry pointing to an inode
whose on-disk i_links_count is zero. ext2 mounts such an image without
error. Any subsequent syscall that decrements i_nlink on that inode
triggers WARN_ON inside drop_nlink() in fs/inode.c.

These patches prevent the warning by validating i_nlink before decrementing
it in ext2_unlink() and ext2_rename(), reporting the corruption via
ext2_error() instead.

The issues were found by Linux Verification Center (linuxtesting.org)
with Syzkaller.

Vasiliy Kovalev (2):
ext2: validate i_nlink before decrement in ext2_unlink()
ext2: guard against zero i_nlink on new_inode in ext2_rename()

Syzkaller found a third trigger via ext2_rmdir(). Rather than adding
another guard in namei.c, I fixed the root cause in ext2_iget() instead - a single check there covers all three cases at once.

New patch: https://lore.kernel.org/all/20260404152011.2590197-1-kovalev@xxxxxxxxxxxx/

If the previous two patches have not been picked up yet, please
consider this one as a replacement for the entire series.

fs/ext2/namei.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)

--- [Reproducer for PATCH 1/2: ext2_unlink] ---
[...]

--- [Reproducer for PATCH 2/2: ext2_rename] ---
[...]

--
Thanks,
Vasiliy