[syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 50c19e20ed2e Merge tag 'nolibc-20250928-for-6.18-1' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15bd8092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f30a7c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1109e942580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-50c19e20.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/33a22a854fe0/vmlinux-50c19e20.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e68f79994eb8/bzImage-50c19e20.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/921fccc3cfcf/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=16c42092580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
Read of size 1 at addr ffff8880528ccb57 by task syz.0.24/5691

CPU: 0 UID: 0 PID: 5691 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x1101/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f807b98eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f807c806038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f807bbe6090 RCX: 00007f807b98eec9
RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c
RBP: 00007f807ba11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f807bbe6128 R14: 00007f807bbe6090 R15: 00007ffea28141a8
</TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fe26f59e pfn:0x528cc
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00014a3348 ffffea00014a3208 0000000000000000
raw: 00000007fe26f59e 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5688, tgid 5688 (rm), ts 112106822009, free_ts 112155145845
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:4997 [inline]
do_anonymous_page mm/memory.c:5054 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 5688 tgid 5688 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952
folios_put_refs+0x559/0x640 mm/swap.c:999
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:264
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
exit_mmap+0x44c/0xb50 mm/mmap.c:1293
__mmput+0x118/0x430 kernel/fork.c:1130
exit_mm+0x1da/0x2c0 kernel/exit.c:582
do_exit+0x648/0x2300 kernel/exit.c:949
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff8880528cca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880528cca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880528ccb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880528ccb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880528ccc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add bounds validation for inline directory xattr data to prevent
use-after-free when accessing corrupted filesystems.

ext4_find_inline_entry() performs two directory searches: first in
the i_block area, then in the extended attribute (xattr) area of the
inode. When calculating inline_start for the xattr area via
ext4_get_inline_xattr_pos(), the function trusts the e_value_offs
field from disk without validating the resulting pointer stays within
the inode's boundaries.

A corrupted filesystem can craft a malicious e_value_offs value that
causes inline_start to point outside the inode's allocated space,
potentially into freed memory. When ext4_search_dir() attempts to
access this invalid pointer, it results in a KASAN use-after-free.

Fix this by validating that inline_start and inline_start + inline_size
remain within the inode's boundaries before calling ext4_search_dir().
Return -EFSCORRUPTED if the bounds check fails.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ext4/inline.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 1b094a4f3866..28ac90a8d5a2 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1617,7 +1617,15 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,

inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc);
inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE;
-
+ void *inode_start = ext4_raw_inode(&is.iloc);
+ void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb);
+
+ if (inline_start < inode_start ||
+ inline_start >= inode_end ||
+ inline_start + inline_size > inode_end) {
+ ret = -EFSCORRUPTED;
+ goto out;
+ }
ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
dir, fname, 0, res_dir);
if (ret == 1)
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a12092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=15d256e2580000

Note: testing is done by a robot and is best-effort only.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject system.data xattr with external inode storage

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting malformed
inline directory xattr entries during validation.

ext4 uses the system.data xattr to store inline directory entries
within the inode. This xattr must always use inline storage
(e_value_inum == 0). However, a corrupted filesystem can craft a
system.data xattr entry with e_value_inum != 0, bypassing the existing
validation in check_xattrs() which only validates e_value_offs when
e_value_inum == 0.

Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos()
reads the corrupt e_value_offs and calculates an inline_start pointer
that can point outside the inode buffer, potentially into freed memory.

When ext4_search_dir() attempts to access this invalid pointer, it
results in a KASAN use-after-free.

Fix this by explicitly validating that system.data xattr entries always
have e_value_inum == 0 in check_xattrs(). This catches the corruption
at validation time during inode load, before the corrupt pointer can be
used.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/xattr.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 5a6fe1513fd2..a9057d0f9e24 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -251,6 +251,13 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
err_str = "invalid ea_ino";
goto errout;
}
+ if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
+ entry->e_name_len == sizeof(EXT4_XATTR_SYSTEM_DATA) - 1 &&
+ !memcmp(entry->e_name, EXT4_XATTR_SYSTEM_DATA, entry->e_name_len) &&
+ ea_ino != 0) {
+ err_str = "system.data xattr cannot use external inode storage";
+ goto errout;
+ }
if (size > EXT4_XATTR_SIZE_MAX) {
err_str = "e_value size too large";
goto errout;
--
2.43.0

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/ext4/xattr.c:255:35: error: use of undeclared identifier 'EXT4_XATTR_SYSTEM_DATA'
fs/ext4/xattr.c:256:30: error: use of undeclared identifier 'EXT4_XATTR_SYSTEM_DATA'

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=159a56e2580000

[syzbot]

index 5a6fe1513fd2..8680f649ea7e 100644

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -251,6 +251,13 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
err_str = "invalid ea_ino";
goto errout;
}
+ if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&

+ entry->e_name_len == 4 &&
+ !memcmp(entry->e_name, "data", 4) &&

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_search_dir

==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469

Read of size 1 at addr ffff88804907506b by task syz.0.23/5978

CPU: 0 UID: 0 PID: 5978 Comm: syz.0.23 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]

path_openat+0x10fe/0x3830 fs/namei.c:4131

do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f999878eec9

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f9997ddd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f99989e6090 RCX: 00007f999878eec9

RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c

RBP: 00007f9998811f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f99989e6128 R14: 00007f99989e6090 R15: 00007fffca9efab8

</TASK>

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xc002573 pfn:0x49075
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 000000000c002573 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as freed

page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5609, tgid 5609 (syz-execprog), ts 124343619274, free_ts 141401086768

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:4997 [inline]
do_anonymous_page mm/memory.c:5054 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 78 tgid 78 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952

shrink_folio_list+0x2977/0x4cd0 mm/vmscan.c:1568
evict_folios+0x471e/0x57c0 mm/vmscan.c:4744
try_to_shrink_lruvec+0x8a3/0xb50 mm/vmscan.c:4907
shrink_one+0x21b/0x7c0 mm/vmscan.c:4952
shrink_many mm/vmscan.c:5015 [inline]
lru_gen_shrink_node mm/vmscan.c:5093 [inline]
shrink_node+0x314e/0x3760 mm/vmscan.c:6078
kswapd_shrink_node mm/vmscan.c:6938 [inline]
balance_pgdat mm/vmscan.c:7121 [inline]
kswapd+0x147c/0x2830 mm/vmscan.c:7386
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:

ffff888049074f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888049074f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888049075000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888049075080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888049075100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15a92092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=15786334580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject system.data xattr with external inode storage
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inline directory
xattr entries that claim to use external inode storage.

ext4 uses the system.data xattr to store inline directory entries

within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set,
the system.data xattr must use inline storage (e_value_inum == 0).

However, a corrupted filesystem can craft a system.data xattr entry with

e_value_inum != 0, creating an inconsistency. The existing validation in
check_xattrs() skips e_value_offs validation when e_value_inum != 0,
allowing a corrupt e_value_offs to pass through unchecked.

Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos()
reads the corrupt e_value_offs and calculates an inline_start pointer that
can point outside the inode buffer, potentially into freed memory. When
ext4_search_dir() attempts to access this invalid pointer, it results in
a KASAN use-after-free.

Fix this by validating in check_xattrs() that if an inode has the inline
data flag set, the system.data xattr entry must have e_value_inum == 0.
This enforces the consistency between the inode flag and xattr storage
type, catching the corruption at validation time during inode load before

the corrupt pointer can be used.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/xattr.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 8680f649ea7e..827f2b6175d0 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
struct ext4_xattr_entry *e = entry;
int err = -EFSCORRUPTED;
char *err_str;
-
+ printk(KERN_WARNING "ext_check_xattrs: entered in function\n");
if (bh) {
if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
BHDR(bh)->h_blocks != cpu_to_le32(1)) {
@@ -251,12 +251,18 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,

err_str = "invalid ea_ino";
goto errout;
}

- if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
- entry->e_name_len == 4 &&
- !memcmp(entry->e_name,"data", 4) &&
- ea_ino != 0) {
+ if (ext4_has_inline_data(inode) && ea_ino != 0) {

err_str = "system.data xattr cannot use external inode storage";

- goto errout;
+ goto errout;
+ }

+ if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
+ entry->e_name_len == 4 &&

+ !memcmp(entry->e_name, "data", 4)) {
+ printk(KERN_ERR "Found system.data xattr: ea_ino=%lu\n", ea_ino);
+ if (ext4_has_inline_data(inode) && ea_ino != 0) {

+ err_str = "system.data xattr cannot use external inode storage";
+ goto errout;
+ }
}
if (size > EXT4_XATTR_SIZE_MAX) {
err_str = "e_value size too large";

--
2.43.0

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/ext4/xattr.c
Hunk #2 FAILED at 251.
1 out of 2 hunks FAILED

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=1676fd04580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inodes that
claim to have inline data but have no extra inode space allocated.

ext4 inline data is stored in the extra inode space beyond the
standard 128-byte inode structure. This requires i_extra_isize to be
non-zero to provide space for the system.data xattr that stores the
inline directory entries or file data.

However, a corrupted filesystem can craft an inode with both:
- i_extra_isize == 0 (no extra space)
- EXT4_INODE_INLINE_DATA flag set (claims to use extra space)

This creates a fundamental inconsistency. When i_extra_isize is zero,
ext4_iget() skips calling ext4_iget_extra_inode(), which means the
inline xattr validation in check_xattrs() never runs. Later, when
ext4_find_inline_entry() attempts to access the inline data, it reads
unvalidated and potentially corrupt xattr structures, leading to
out-of-bounds memory access and use-after-free.

Fix this by validating in ext4_iget() that if an inode has the
EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero.
This catches the corruption at inode load time before any inline
data operations are attempted.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b7a15db4953..d76800c65317 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {
+ if (ext4_has_inline_data(inode)) {
+ ext4_error_inode(inode, function, line, 0,
+ "inline data flag set but i_extra_isize is zero");
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
/* The extra space is currently unused. Use it. */
BUILD_BUG_ON(sizeof(struct ext4_inode) & 3);
ei->i_extra_isize = sizeof(struct ext4_inode) -
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=175d4ee2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397

compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=162fe092580000