[syzbot] [ext4?] KASAN: slab-out-of-bounds Read in ext4_search_dir

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 50c19e20ed2e Merge tag 'nolibc-20250928-for-6.18-1' of git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15bd8092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14f30a7c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1109e942580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-50c19e20.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/33a22a854fe0/vmlinux-50c19e20.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e68f79994eb8/bzImage-50c19e20.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/921fccc3cfcf/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=16c42092580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
Read of size 1 at addr ffff8880528ccb57 by task syz.0.24/5691

CPU: 0 UID: 0 PID: 5691 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x1101/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f807b98eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f807c806038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f807bbe6090 RCX: 00007f807b98eec9
RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c
RBP: 00007f807ba11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f807bbe6128 R14: 00007f807bbe6090 R15: 00007ffea28141a8
</TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fe26f59e pfn:0x528cc
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00014a3348 ffffea00014a3208 0000000000000000
raw: 00000007fe26f59e 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5688, tgid 5688 (rm), ts 112106822009, free_ts 112155145845
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:4997 [inline]
do_anonymous_page mm/memory.c:5054 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 5688 tgid 5688 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952
folios_put_refs+0x559/0x640 mm/swap.c:999
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:264
__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
exit_mmap+0x44c/0xb50 mm/mmap.c:1293
__mmput+0x118/0x430 kernel/fork.c:1130
exit_mm+0x1da/0x2c0 kernel/exit.c:582
do_exit+0x648/0x2300 kernel/exit.c:949
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff8880528cca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880528cca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880528ccb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880528ccb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880528ccc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add bounds validation for inline directory xattr data to prevent
use-after-free when accessing corrupted filesystems.

ext4_find_inline_entry() performs two directory searches: first in
the i_block area, then in the extended attribute (xattr) area of the
inode. When calculating inline_start for the xattr area via
ext4_get_inline_xattr_pos(), the function trusts the e_value_offs
field from disk without validating the resulting pointer stays within
the inode's boundaries.

A corrupted filesystem can craft a malicious e_value_offs value that
causes inline_start to point outside the inode's allocated space,
potentially into freed memory. When ext4_search_dir() attempts to
access this invalid pointer, it results in a KASAN use-after-free.

Fix this by validating that inline_start and inline_start + inline_size
remain within the inode's boundaries before calling ext4_search_dir().
Return -EFSCORRUPTED if the bounds check fails.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ext4/inline.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 1b094a4f3866..28ac90a8d5a2 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1617,7 +1617,15 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,

inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc);
inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE;
-
+ void *inode_start = ext4_raw_inode(&is.iloc);
+ void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb);
+
+ if (inline_start < inode_start ||
+ inline_start >= inode_end ||
+ inline_start + inline_size > inode_end) {
+ ret = -EFSCORRUPTED;
+ goto out;
+ }
ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
dir, fname, 0, res_dir);
if (ret == 1)
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a12092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=15d256e2580000

Note: testing is done by a robot and is best-effort only.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject system.data xattr with external inode storage

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting malformed
inline directory xattr entries during validation.

ext4 uses the system.data xattr to store inline directory entries
within the inode. This xattr must always use inline storage
(e_value_inum == 0). However, a corrupted filesystem can craft a
system.data xattr entry with e_value_inum != 0, bypassing the existing
validation in check_xattrs() which only validates e_value_offs when
e_value_inum == 0.

Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos()
reads the corrupt e_value_offs and calculates an inline_start pointer
that can point outside the inode buffer, potentially into freed memory.

When ext4_search_dir() attempts to access this invalid pointer, it
results in a KASAN use-after-free.

Fix this by explicitly validating that system.data xattr entries always
have e_value_inum == 0 in check_xattrs(). This catches the corruption
at validation time during inode load, before the corrupt pointer can be
used.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/xattr.c | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 5a6fe1513fd2..a9057d0f9e24 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -251,6 +251,13 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
err_str = "invalid ea_ino";
goto errout;
}
+ if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
+ entry->e_name_len == sizeof(EXT4_XATTR_SYSTEM_DATA) - 1 &&
+ !memcmp(entry->e_name, EXT4_XATTR_SYSTEM_DATA, entry->e_name_len) &&
+ ea_ino != 0) {
+ err_str = "system.data xattr cannot use external inode storage";
+ goto errout;
+ }
if (size > EXT4_XATTR_SIZE_MAX) {
err_str = "e_value size too large";
goto errout;
--
2.43.0

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/ext4/xattr.c:255:35: error: use of undeclared identifier 'EXT4_XATTR_SYSTEM_DATA'
fs/ext4/xattr.c:256:30: error: use of undeclared identifier 'EXT4_XATTR_SYSTEM_DATA'

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=159a56e2580000

[syzbot]

index 5a6fe1513fd2..8680f649ea7e 100644

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -251,6 +251,13 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
err_str = "invalid ea_ino";
goto errout;
}
+ if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&

+ entry->e_name_len == 4 &&
+ !memcmp(entry->e_name, "data", 4) &&

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_search_dir

==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469

Read of size 1 at addr ffff88804907506b by task syz.0.23/5978

CPU: 0 UID: 0 PID: 5978 Comm: syz.0.23 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]

path_openat+0x10fe/0x3830 fs/namei.c:4131

do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f999878eec9

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f9997ddd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f99989e6090 RCX: 00007f999878eec9

RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c

RBP: 00007f9998811f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f99989e6128 R14: 00007f99989e6090 R15: 00007fffca9efab8

</TASK>

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xc002573 pfn:0x49075
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 000000000c002573 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as freed

page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 5609, tgid 5609 (syz-execprog), ts 124343619274, free_ts 141401086768

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1
alloc_anon_folio mm/memory.c:4997 [inline]
do_anonymous_page mm/memory.c:5054 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]
__handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 78 tgid 78 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952

shrink_folio_list+0x2977/0x4cd0 mm/vmscan.c:1568
evict_folios+0x471e/0x57c0 mm/vmscan.c:4744
try_to_shrink_lruvec+0x8a3/0xb50 mm/vmscan.c:4907
shrink_one+0x21b/0x7c0 mm/vmscan.c:4952
shrink_many mm/vmscan.c:5015 [inline]
lru_gen_shrink_node mm/vmscan.c:5093 [inline]
shrink_node+0x314e/0x3760 mm/vmscan.c:6078
kswapd_shrink_node mm/vmscan.c:6938 [inline]
balance_pgdat mm/vmscan.c:7121 [inline]
kswapd+0x147c/0x2830 mm/vmscan.c:7386
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x436/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:

ffff888049074f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888049074f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888049075000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888049075080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888049075100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15a92092580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=15786334580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject system.data xattr with external inode storage
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inline directory
xattr entries that claim to use external inode storage.

ext4 uses the system.data xattr to store inline directory entries

within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set,
the system.data xattr must use inline storage (e_value_inum == 0).

However, a corrupted filesystem can craft a system.data xattr entry with

e_value_inum != 0, creating an inconsistency. The existing validation in
check_xattrs() skips e_value_offs validation when e_value_inum != 0,
allowing a corrupt e_value_offs to pass through unchecked.

Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos()
reads the corrupt e_value_offs and calculates an inline_start pointer that
can point outside the inode buffer, potentially into freed memory. When
ext4_search_dir() attempts to access this invalid pointer, it results in
a KASAN use-after-free.

Fix this by validating in check_xattrs() that if an inode has the inline
data flag set, the system.data xattr entry must have e_value_inum == 0.
This enforces the consistency between the inode flag and xattr storage
type, catching the corruption at validation time during inode load before

the corrupt pointer can be used.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/xattr.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 8680f649ea7e..827f2b6175d0 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
struct ext4_xattr_entry *e = entry;
int err = -EFSCORRUPTED;
char *err_str;
-
+ printk(KERN_WARNING "ext_check_xattrs: entered in function\n");
if (bh) {
if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
BHDR(bh)->h_blocks != cpu_to_le32(1)) {
@@ -251,12 +251,18 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,

err_str = "invalid ea_ino";
goto errout;
}

- if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
- entry->e_name_len == 4 &&
- !memcmp(entry->e_name,"data", 4) &&
- ea_ino != 0) {
+ if (ext4_has_inline_data(inode) && ea_ino != 0) {

err_str = "system.data xattr cannot use external inode storage";

- goto errout;
+ goto errout;
+ }

+ if (entry->e_name_index == EXT4_XATTR_INDEX_SYSTEM &&
+ entry->e_name_len == 4 &&

+ !memcmp(entry->e_name, "data", 4)) {
+ printk(KERN_ERR "Found system.data xattr: ea_ino=%lu\n", ea_ino);
+ if (ext4_has_inline_data(inode) && ea_ino != 0) {

+ err_str = "system.data xattr cannot use external inode storage";
+ goto errout;
+ }
}
if (size > EXT4_XATTR_SIZE_MAX) {
err_str = "e_value size too large";

--
2.43.0

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/ext4/xattr.c
Hunk #2 FAILED at 251.
1 out of 2 hunks FAILED

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

kernel config: https://syzkaller.appspot.com/x/.config?x=ee1d7eda39c03d2c

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=1676fd04580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inodes that
claim to have inline data but have no extra inode space allocated.

ext4 inline data is stored in the extra inode space beyond the
standard 128-byte inode structure. This requires i_extra_isize to be
non-zero to provide space for the system.data xattr that stores the
inline directory entries or file data.

However, a corrupted filesystem can craft an inode with both:
- i_extra_isize == 0 (no extra space)
- EXT4_INODE_INLINE_DATA flag set (claims to use extra space)

This creates a fundamental inconsistency. When i_extra_isize is zero,
ext4_iget() skips calling ext4_iget_extra_inode(), which means the
inline xattr validation in check_xattrs() never runs. Later, when
ext4_find_inline_entry() attempts to access the inline data, it reads
unvalidated and potentially corrupt xattr structures, leading to
out-of-bounds memory access and use-after-free.

Fix this by validating in ext4_iget() that if an inode has the
EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero.
This catches the corruption at inode load time before any inline
data operations are attempted.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b7a15db4953..d76800c65317 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {
+ if (ext4_has_inline_data(inode)) {
+ ext4_error_inode(inode, function, line, 0,
+ "inline data flag set but i_extra_isize is zero");
+ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
/* The extra space is currently unused. Use it. */
BUILD_BUG_ON(sizeof(struct ext4_inode) & 3);
ei->i_extra_isize = sizeof(struct ext4_inode) -
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: 7f707257 Merge tag 'kbuild-6.18-1' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=175d4ee2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0364a9e4a291ab2
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397

compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=162fe092580000

[syzbot]

Changes in v2:
- Use ext4_test_inode_flag() instead of ext4_has_inline_data() as
suggested by Theodore Ts'o, since i_inline_off is not yet initialized
at this point in ext4_iget()

---
fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c

index 5b7a15db4953..fe30d4192c7d 100644

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {

+ if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) {

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_search_dir

loop0: detected capacity change from 1024 to 767

==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469

Read of size 1 at addr ffff888047fa1c98 by task syz.0.17/6004

CPU: 0 UID: 0 PID: 6004 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x10fe/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f67b018eec9

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f67b1082038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f67b03e5fa0 RCX: 00007f67b018eec9

RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c

RBP: 00007f67b0211f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f67b03e6038 R14: 00007f67b03e5fa0 R15: 00007ffc3955f658

</TASK>

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1cf pfn:0x47fa1
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea0001321d08 ffffea0001457388 0000000000000000
raw: 00000000000001cf 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as freed

page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5999, tgid 5999 (dhcpcd-run-hook), ts 97515739076, free_ts 97930783293

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1

wp_page_copy mm/memory.c:3552 [inline]
do_wp_page+0x1231/0x5800 mm/memory.c:4013
handle_pte_fault mm/memory.c:6068 [inline]
__handle_mm_fault+0x1033/0x5440 mm/memory.c:6195

handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 5999 tgid 5999 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952

folios_put_refs+0x559/0x640 mm/swap.c:999
free_pages_and_swap_cache+0x4be/0x520 mm/swap_state.c:267

__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
exit_mmap+0x44c/0xb50 mm/mmap.c:1293
__mmput+0x118/0x430 kernel/fork.c:1130
exit_mm+0x1da/0x2c0 kernel/exit.c:582
do_exit+0x648/0x2300 kernel/exit.c:949
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff888047fa1b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888047fa1c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888047fa1c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888047fa1d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888047fa1d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================


Tested on:

commit: f79e7722 Merge tag 'media/v6.18-1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1176c92f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7f967f2c97bd611a

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=11f18458580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject system.data xattr with external inode storage

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inline directory
xattr entries that claim to use external inode storage.

ext4 uses the "system.data" xattr to store inline directory entries
within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set,
the system.data xattr must use inline storage (e_value_inum == 0).

However, a corrupted filesystem can craft a system.data xattr entry with
e_value_inum != 0, creating an inconsistency. The existing validation in
check_xattrs() skips e_value_offs validation when e_value_inum != 0,
allowing a corrupt e_value_offs to pass through unchecked.

Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos()
reads the corrupt e_value_offs and calculates an inline_start pointer that
can point outside the inode buffer, potentially into freed memory. When
ext4_search_dir() attempts to access this invalid pointer, it results in
a KASAN use-after-free.

Fix this by validating in check_xattrs() that if an inode has the inline
data flag set, the system.data xattr entry must have e_value_inum == 0.
This enforces the consistency between the inode flag and xattr storage
type, catching the corruption at validation time during inode load before
the corrupt pointer can be used.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c

index 5b7a15db4953..d082fff675ac 100644

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {

+ if (ext4_has_inline_data(inode)) {

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in ext4_search_dir

==================================================================
BUG: KASAN: slab-use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
Read of size 1 at addr ffff8880431675a2 by task syz.0.23/5968

CPU: 0 UID: 0 PID: 5968 Comm: syz.0.23 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x10fe/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]

__do_sys_creat fs/open.c:1528 [inline]
__se_sys_creat fs/open.c:1522 [inline]
__x64_sys_creat+0x8f/0xc0 fs/open.c:1522

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fbd45f8eec9

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fbd46dca038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007fbd461e6180 RCX: 00007fbd45f8eec9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000100
RBP: 00007fbd46011f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007fbd461e6218 R14: 00007fbd461e6180 R15: 00007ffcda6a16e8
</TASK>

Allocated by task 5956:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:333 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:359
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4944 [inline]
slab_alloc_node mm/slub.c:5243 [inline]
kmem_cache_alloc_noprof+0x37b/0x720 mm/slub.c:5250
alloc_empty_file+0x55/0x1d0 fs/file_table.c:237
path_openat+0x107/0x3830 fs/namei.c:4120

do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 15:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2512 [inline]
slab_free_after_rcu_debug+0x12c/0x2a0 mm/slub.c:6622
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
slab_free_hook mm/slub.c:2473 [inline]
slab_free mm/slub.c:6564 [inline]
kmem_cache_free+0x4ac/0x6b0 mm/slub.c:6674
task_work_run+0x1d4/0x260 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x6b5/0x2300 kernel/exit.c:961

do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Second to last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
task_work_add+0xb1/0x420 kernel/task_work.c:65
__fput_deferred+0x154/0x390 fs/file_table.c:529
remove_vma+0xdf/0x130 mm/vma.c:466
exit_mmap+0x537/0xb40 mm/mmap.c:1305

__mmput+0x118/0x430 kernel/fork.c:1130
exit_mm+0x1da/0x2c0 kernel/exit.c:582
do_exit+0x648/0x2300 kernel/exit.c:949
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888043167540
which belongs to the cache filp of size 360
The buggy address is located 98 bytes inside of
freed 360-byte region [ffff888043167540, ffff8880431676a8)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43167
memcg:ffff888055e55d81
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801b2caa00 ffffea000106a200 dead000000000004
raw: 0000000000000000 0000000000090009 00000000f5000000 ffff888055e55d81

page dumped because: kasan: bad access detected

page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5911, tgid 5911 (rm), ts 147988563881, free_ts 147968362581

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416

alloc_slab_page mm/slub.c:3028 [inline]
allocate_slab+0x96/0x360 mm/slub.c:3201
new_slab mm/slub.c:3255 [inline]
___slab_alloc+0xe75/0x1920 mm/slub.c:4625
__slab_alloc+0x65/0x100 mm/slub.c:4744
__slab_alloc_node mm/slub.c:4820 [inline]
slab_alloc_node mm/slub.c:5231 [inline]
kmem_cache_alloc_noprof+0x40d/0x720 mm/slub.c:5250
alloc_empty_file+0x55/0x1d0 fs/file_table.c:237
path_openat+0x107/0x3830 fs/namei.c:4120

do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

page last free pid 15 tgid 15 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]

__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
pagetable_free include/linux/mm.h:2898 [inline]
pagetable_dtor_free include/linux/mm.h:2996 [inline]
__tlb_remove_table+0x2d2/0x3b0 include/asm-generic/tlb.h:220
__tlb_remove_table_free mm/mmu_gather.c:227 [inline]
tlb_remove_table_rcu+0x85/0x100 mm/mmu_gather.c:290
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core+0xcab/0x1770 kernel/rcu/tree.c:2861
handle_softirqs+0x286/0x870 kernel/softirq.c:622
run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1063
smpboot_thread_fn+0x53f/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:

ffff888043167480: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffff888043167500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888043167580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888043167600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888043167680: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=162265cd980000
kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=14d4a85b980000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: fix use-after-free in ext4_search_dir via corrupted inline xattr

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add bounds validation for inline directory xattr data to prevent
use-after-free when accessing corrupted filesystems.

ext4_find_inline_entry() performs two directory searches: first in
the i_block area, then in the extended attribute (xattr) area of the
inode. When calculating inline_start for the xattr area via
ext4_get_inline_xattr_pos(), the function trusts the e_value_offs
field from disk without validating the resulting pointer stays within
the inode's boundaries.

A corrupted filesystem can craft a malicious e_value_offs value that
causes inline_start to point outside the inode's allocated space,

potentially into freed memory. When ext4_search_dir() attempts to
access this invalid pointer, it results in a KASAN use-after-free.

Fix this by validating that inline_start and inline_start + inline_size
remain within the inode's boundaries before calling ext4_search_dir().
Return -EFSCORRUPTED if the bounds check fails.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/inline.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 1b094a4f3866..28ac90a8d5a2 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1617,7 +1617,15 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,

inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc);
inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE;
-
+ void *inode_start = ext4_raw_inode(&is.iloc);
+ void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb);
+
+ if (inline_start < inode_start ||
+ inline_start >= inode_end ||
+ inline_start + inline_size > inode_end) {

+ ret = -EFSCORRUPTED;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=10341ee2580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1030d942580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inodes that
claim to have inline data but have no extra inode space allocated.
ext4 inline data is stored in the extra inode space beyond the
standard 128-byte inode structure. This requires i_extra_isize to be
non-zero to provide space for the system.data xattr that stores the
inline directory entries or file data.
However, a corrupted filesystem can craft an inode with both:
- i_extra_isize == 0 (no extra space)
- EXT4_INODE_INLINE_DATA flag set (claims to use extra space)
This creates a fundamental inconsistency. When i_extra_isize is zero,
ext4_iget() skips calling ext4_iget_extra_inode(), which means the
inline xattr validation in check_xattrs() never runs. Later, when
ext4_find_inline_entry() attempts to access the inline data, it reads
unvalidated and potentially corrupt xattr structures, leading to
out-of-bounds memory access and use-after-free.
Fix this by validating in ext4_iget() that if an inode has the
EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero.
This catches the corruption at inode load time before any inline
data operations are attempted.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/inode.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b7a15db4953..8682ee8f1e50 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5414,6 +5414,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
ei->i_sync_tid = tid;
ei->i_datasync_tid = tid;
}
+ if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) {

+ ext4_error_inode(inode, function, line, 0,

+ "wow! this inode has less data");
+ if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) {
+ ext4_error_inode(inode, function, line, 0, "wow! this inode is line");
+ }
+ }

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {

@@ -5422,6 +5429,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

ei->i_extra_isize = sizeof(struct ext4_inode) -

EXT4_GOOD_OLD_INODE_SIZE;
} else {

+ ext4_error_inode(inode, function, line, 0,

+ "wow! this inode has reached ext4 iget");
ret = ext4_iget_extra_inode(inode, raw_inode, ei);
if (ret)
goto bad_inode;
--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: use-after-free Read in ext4_search_dir

==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
Read of size 1 at addr ffff888043c0f1b3 by task syz.0.17/6052

CPU: 0 UID: 0 PID: 6052 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x10fe/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]

__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fc79498eec9

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007fc7958bb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fc794be6090 RCX: 00007fc79498eec9

RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c

RBP: 00007fc794a11f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007fc794be6128 R14: 00007fc794be6090 R15: 00007ffe09140cb8
</TASK>

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x7fe0644ad pfn:0x43c0f
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00010f0408 ffffea00010f0548 0000000000000000
raw: 00000007fe0644ad 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected

page_owner tracks the page as freed

page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), pid 6053, tgid 6053 (modprobe), ts 152683869333, free_ts 152820788321

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416

folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1

alloc_anon_folio mm/memory.c:4997 [inline]
do_anonymous_page mm/memory.c:5054 [inline]
do_pte_missing mm/memory.c:4232 [inline]
handle_pte_fault mm/memory.c:6052 [inline]

__handle_mm_fault+0x2ab9/0x5440 mm/memory.c:6195

handle_mm_fault+0x40a/0x8e0 mm/memory.c:6364
do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 6053 tgid 6053 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]

free_unref_folios+0xdbd/0x1520 mm/page_alloc.c:2952
folios_put_refs+0x559/0x640 mm/swap.c:999

free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:264

__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497

exit_mmap+0x444/0xb40 mm/mmap.c:1293

__mmput+0x118/0x430 kernel/fork.c:1130
exit_mm+0x1da/0x2c0 kernel/exit.c:582
do_exit+0x648/0x2300 kernel/exit.c:949
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
__do_sys_exit_group kernel/exit.c:1113 [inline]
__se_sys_exit_group kernel/exit.c:1111 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1111
x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff888043c0f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888043c0f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888043c0f180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888043c0f200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888043c0f280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=14e31214580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=14980304580000

[syzbot]

fs/ext4/inode.c | 13 ++++++++++++-
fs/ext4/xattr.c | 2 +-
2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b7a15db4953..257e9b1c6416 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode,
if (EXT4_INODE_HAS_XATTR_SPACE(inode) &&
*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
int err;
-
+ ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0,
+ "wow this inode has extra space");
err = xattr_check_inode(inode, IHDR(inode, raw_inode),
ITAIL(inode, raw_inode));
if (err)
@@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode,
return err;
} else
EXT4_I(inode)->i_inline_off = 0;
+
return 0;
}

@@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

ei->i_sync_tid = tid;
ei->i_datasync_tid = tid;
}
+ if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) {
+ ext4_error_inode(inode, function, line, 0,
+ "wow! this inode has less data");
+ if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) {
+ ext4_error_inode(inode, function, line, 0, "wow! this inode is line");
+ }
+ }

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {

@@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

ei->i_extra_isize = sizeof(struct ext4_inode) -
EXT4_GOOD_OLD_INODE_SIZE;
} else {
+ ext4_error_inode(inode, function, line, 0,
+ "wow! this inode has reached ext4 iget");
ret = ext4_iget_extra_inode(inode, raw_inode, ei);
if (ret)
goto bad_inode;

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 5a6fe1513fd2..9b4a6978b313 100644

--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -195,7 +195,7 @@ check_xattrs(struct inode *inode, struct buffer_head *bh,
struct ext4_xattr_entry *e = entry;
int err = -EFSCORRUPTED;
char *err_str;
-

+ ext4_error_inode(inode, "check_xattrs", 198, 0, "wow! we are in check_xattrs");

if (bh) {
if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) ||
BHDR(bh)->h_blocks != cpu_to_le32(1)) {

--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=10b1c92f980000

kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=11a49334580000

[syzbot]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: 24d9e8b3 Merge tag 'slab-for-6.18' of git://git.kernel..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=114b1214580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2bc5f6d89013f5e0
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=11731214580000

[syzbot]

[syzbot]

fs/ext4/inline.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 1b094a4f3866..d6541e661dfa 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1614,9 +1614,19 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,

if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE)
goto out;
-
+

inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc);
inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE;

+ void *inode_start = ext4_raw_inode(&is.iloc);
+ void *inode_end = inode_start + EXT4_INODE_SIZE(dir->i_sb);
+
+ if (inline_start < inode_start ||
+ inline_start >= inode_end ||
+ inline_start + inline_size > inode_end) {

+ printk(KERN_WARNING "found error in ext4_find_inline_entry\n");

+ ret = -EFSCORRUPTED;
+ goto out;
+ }

ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
dir, fname, 0, res_dir);

--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' ..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=106ecee2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a

dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=120ecee2580000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' ..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=115aa85b980000

kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=17c6aa7c580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject inline data flag when i_extra_size is zero

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' ..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=117c0304580000

kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=159c0304580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' ..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=134ad942580000

kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=100165cd980000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject system.data xattr with external inode storage

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inline directory
xattr entries that claim to use external inode storage.

ext4 uses the "system.data" xattr to store inline directory entries
within the inode. When an inode has the EXT4_INODE_INLINE_DATA flag set,
the system.data xattr must use inline storage (e_value_inum == 0).

However, a corrupted filesystem can craft a system.data xattr entry with
e_value_inum != 0, creating an inconsistency. The existing validation in
check_xattrs() skips e_value_offs validation when e_value_inum != 0,
allowing a corrupt e_value_offs to pass through unchecked.

Later, when ext4_find_inline_entry() is called, ext4_get_inline_xattr_pos()
reads the corrupt e_value_offs and calculates an inline_start pointer that

can point outside the inode buffer, potentially into freed memory. When

ext4_search_dir() attempts to access this invalid pointer, it results in

a KASAN use-after-free.

Fix this by validating in check_xattrs() that if an inode has the inline
data flag set, the system.data xattr entry must have e_value_inum == 0.
This enforces the consistency between the inode flag and xattr storage
type, catching the corruption at validation time during inode load before
the corrupt pointer can be used.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b7a15db4953..d082fff675ac 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5417,6 +5417,12 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {

+ if (ext4_has_inline_data(inode)) {

+ ext4_error_inode(inode, function, line, 0,

+ "inline data flag set but i_extra_isize is zero");
+ ret = -EFSCORRUPTED;

+ goto bad_inode;
+ }
/* The extra space is currently unused. Use it. */
BUILD_BUG_ON(sizeof(struct ext4_inode) & 3);

ei->i_extra_isize = sizeof(struct ext4_inode) -

--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: use-after-free Read in ext4_search_dir

loop0: detected capacity change from 1024 to 767

==================================================================
BUG: KASAN: use-after-free in ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469

Read of size 1 at addr ffff888047c19e53 by task syz.0.25/5994

CPU: 0 UID: 0 PID: 5994 Comm: syz.0.25 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
ext4_search_dir+0xf1/0x1b0 fs/ext4/namei.c:1469
ext4_find_inline_entry+0x492/0x5f0 fs/ext4/inline.c:1621
__ext4_find_entry+0x2fd/0x1f20 fs/ext4/namei.c:1542
ext4_lookup_entry fs/ext4/namei.c:1703 [inline]
ext4_lookup+0x13d/0x6c0 fs/ext4/namei.c:1771
lookup_open fs/namei.c:3774 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x10fe/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]

__do_sys_creat fs/open.c:1528 [inline]
__se_sys_creat fs/open.c:1522 [inline]
__x64_sys_creat+0x8f/0xc0 fs/open.c:1522

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f30dc98eec9

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f30dd80c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
RAX: ffffffffffffffda RBX: 00007f30dcbe5fa0 RCX: 00007f30dc98eec9

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000100

RBP: 00007f30dca11f91 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f30dcbe6038 R14: 00007f30dcbe5fa0 R15: 00007ffd1c506f18

</TASK>

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1ce pfn:0x47c19
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
raw: 04fff00000000000 ffffea00011f0688 ffffea00011f6088 0000000000000000
raw: 00000000000001ce 0000000000000000 00000000ffffffff 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as freed

page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 5999, tgid 5999 (cmp), ts 160342984478, free_ts 160390502500
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183

alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
folio_alloc_mpol_noprof mm/mempolicy.c:2435 [inline]
vma_alloc_folio_noprof+0xe4/0x200 mm/mempolicy.c:2470
folio_prealloc+0x30/0x180 mm/memory.c:-1

wp_page_copy mm/memory.c:3679 [inline]
do_wp_page+0x1231/0x5800 mm/memory.c:4140
handle_pte_fault mm/memory.c:6193 [inline]
__handle_mm_fault+0x1033/0x5400 mm/memory.c:6318
handle_mm_fault+0x40a/0x8e0 mm/memory.c:6487

do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623

page last free pid 5999 tgid 5999 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
free_unref_folios+0xdb3/0x14f0 mm/page_alloc.c:2963
folios_put_refs+0x584/0x670 mm/swap.c:1002
free_pages_and_swap_cache+0x277/0x520 mm/swap_state.c:355

__tlb_batch_free_encoded_pages mm/mmu_gather.c:136 [inline]
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:397 [inline]
tlb_flush_mmu+0x3a0/0x680 mm/mmu_gather.c:404
tlb_finish_mmu+0xc3/0x1d0 mm/mmu_gather.c:497
exit_mmap+0x444/0xb40 mm/mmap.c:1293

__mmput+0x118/0x430 kernel/fork.c:1133
exit_mm+0x1da/0x2c0 kernel/exit.c:582
do_exit+0x648/0x2300 kernel/exit.c:954
do_group_exit+0x21c/0x2d0 kernel/exit.c:1107
__do_sys_exit_group kernel/exit.c:1118 [inline]
__se_sys_exit_group kernel/exit.c:1116 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1116

x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff888047c19d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888047c19d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888047c19e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888047c19e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888047c19f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Tested on:

commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' ..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=126965cd980000

kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=13911ee2580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] ext4: reject inline data flag when i_extra_isize is zero

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Prevent use-after-free in ext4_search_dir by rejecting inodes that
claim to have inline data but have no extra inode space allocated.
ext4 inline data is stored in the extra inode space beyond the
standard 128-byte inode structure. This requires i_extra_isize to be
non-zero to provide space for the system.data xattr that stores the
inline directory entries or file data.
However, a corrupted filesystem can craft an inode with both:
- i_extra_isize == 0 (no extra space)
- EXT4_INODE_INLINE_DATA flag set (claims to use extra space)
This creates a fundamental inconsistency. When i_extra_isize is zero,
ext4_iget() skips calling ext4_iget_extra_inode(), which means the
inline xattr validation in check_xattrs() never runs. Later, when
ext4_find_inline_entry() attempts to access the inline data, it reads
unvalidated and potentially corrupt xattr structures, leading to
out-of-bounds memory access and use-after-free.
Fix this by validating in ext4_iget() that if an inode has the
EXT4_INODE_INLINE_DATA flag set, i_extra_isize must be non-zero.
This catches the corruption at inode load time before any inline
data operations are attempted.

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---

fs/ext4/inode.c | 13 ++++++++++++-
fs/ext4/xattr.c | 2 +-
2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 5b7a15db4953..257e9b1c6416 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c

@@ -5099,7 +5099,8 @@ static inline int ext4_iget_extra_inode(struct inode *inode,
if (EXT4_INODE_HAS_XATTR_SPACE(inode) &&
*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
int err;
-
+ ext4_error_inode(inode, "ext4_iget_extra_inode", 5102, 0,
+ "wow this inode has extra space");
err = xattr_check_inode(inode, IHDR(inode, raw_inode),
ITAIL(inode, raw_inode));
if (err)
@@ -5112,6 +5113,7 @@ static inline int ext4_iget_extra_inode(struct inode *inode,
return err;
} else
EXT4_I(inode)->i_inline_off = 0;
+
return 0;
}

@@ -5414,6 +5416,13 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
ei->i_sync_tid = tid;
ei->i_datasync_tid = tid;
}
+ if (EXT4_INODE_SIZE(inode->i_sb) < EXT4_GOOD_OLD_INODE_SIZE) {

+ ext4_error_inode(inode, function, line, 0,

+ "wow! this inode has less data");
+ if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA)) {
+ ext4_error_inode(inode, function, line, 0, "wow! this inode is line");
+ }
+ }

if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
if (ei->i_extra_isize == 0) {

@@ -5422,6 +5431,8 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,

ei->i_extra_isize = sizeof(struct ext4_inode) -

EXT4_GOOD_OLD_INODE_SIZE;
} else {

+ ext4_error_inode(inode, function, line, 0,

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' ..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1047c92f980000

kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=139576e2580000

[syzbot]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+3ee481...@syzkaller.appspotmail.com
Tested-by: syzbot+3ee481...@syzkaller.appspotmail.com

Tested on:

commit: e406d57b Merge tag 'mm-nonmm-stable-2025-10-02-15-29' ..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=142d76e2580000

kernel config: https://syzkaller.appspot.com/x/.config?x=84e81c4d0c0e900a
dashboard link: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=163e9334580000