From: "Theodore Ts'o" <tytso@mit.edu>
To: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: jack@suse.com, adilger.kernel@dilger.ca,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
yi.zhang@huawei.com
Subject: Re: [PATCH] ext4: Fix WANRON caused by unconsistent boot loader inode's i_size and i_disksize
Date: Tue, 7 Mar 2023 23:31:39 -0500 [thread overview]
Message-ID: <20230308043139.GD860405@mit.edu> (raw)
In-Reply-To: <20230308032643.641113-1-chengzhihao1@huawei.com>
On Wed, Mar 08, 2023 at 11:26:43AM +0800, Zhihao Cheng wrote:
> Using corrupted ext4 image(non-zero i_size for boot loader inode) could
> trigger WARNON 'i_size_read(inode) < EXT4_I(inode)->i_disksize' in
> ext4_handle_inode_extension():
>
> WARNING: CPU: 0 PID: 2580 at fs/ext4/file.c:319
> CPU: 0 PID: 2580 Comm: bb Not tainted 6.3.0-rc1-00004-g703695902cfa
> RIP: 0010:ext4_file_write_iter+0xbc7/0xd10
> Call Trace:
> vfs_write+0x3b1/0x5c0
> ksys_write+0x77/0x160
> __x64_sys_write+0x22/0x30
> do_syscall_64+0x39/0x80
>
> Reproducer (See Link):
> 1. mount corrupted ext4 image with non-zero i_size for boot loader inode
> 2. ioctl(fd, EXT4_IOC_SWAP_BOOT)
> 3. write(fd) // O_DIRECT
>
> Fix it by setting i_disksize while first loading boot loader inode.
Thanks for reporting the bug, but this is not the correct fix.
We need to swap i_disksize when we swap i_size in swap_inode_data().
Otherwise, if we fail later in the swap_inode_boot_loader() function,
the change to i_datasize won't get undone, which will lead to further
problems.
The correct fix is here:
https://lore.kernel.org/all/20230308041252.GC860405@mit.edu/
- Ted
P.S. Chrome refused to download the b.c attachment, claiming it was
"dangerous". Perhaps it was because of the commands involving
system(3) which among other things, uses dd to overwrite /dev/sda with
the image file.
It's best if the reproducer program doesn't doesn't make assumption
about whether it's safe to randomly dd files to /dev/sda. Of course,
I'm a paranoid s.o.b. so I'm not about to download, compile and
blindly run a random program that I get from the 'net. :-)
But it's actually not all that convenient. So I just deleted all of
the system(3) calls from your b.c program, and then used a simple
shell script:
cp /vtmp/disk /vtmp/foo.img
mount -o loop /vtmp/foo.img /mnt
cd /mnt
/vtmp/b
... where /vtmp in the guest VM is automatically setup if you are
using kvm-xfstests[1] to be a 9p file system passthrough of
/tmp/kvm-xfstests-$USER on the host.
[1] https://github.com/tytso/xfstests-bld/blob/master/Documentation/kvm-xfstests.md
next prev parent reply other threads:[~2023-03-08 4:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-08 3:26 [PATCH] ext4: Fix WANRON caused by unconsistent boot loader inode's i_size and i_disksize Zhihao Cheng
2023-03-08 4:31 ` Theodore Ts'o [this message]
2023-03-11 5:16 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230308043139.GD860405@mit.edu \
--to=tytso@mit.edu \
--cc=adilger.kernel@dilger.ca \
--cc=chengzhihao1@huawei.com \
--cc=jack@suse.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=yi.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.