lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000000000000b0c2ea060c83f56c@google.com>
Date: Thu, 14 Dec 2023 19:26:02 -0800
From: syzbot <syzbot+f4582777a19ec422b517@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org
Subject: Re: [syzbot] [ext4?] kernel BUG in ext4_write_inline_data

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org.

***

Subject: [ext4?] kernel BUG in ext4_write_inline_data
Author: eadavis@...com

please test kernel BUG in ext4_write_inline_data

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 44c026a73be8

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 9a84a5f9fef4..e0d261ffe623 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -169,6 +169,7 @@ int ext4_find_inline_data_nolock(struct inode *inode)
 					(void *)ext4_raw_inode(&is.iloc));
 		EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
 				le32_to_cpu(is.s.here->e_value_size);
+		printk("iis: %d, in: %p, %s\n", EXT4_I(inode)->i_inline_size, inode, __func__);
 	}
 out:
 	brelse(is.iloc.bh);
@@ -232,7 +233,9 @@ static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
 		return;
 
 	BUG_ON(!EXT4_I(inode)->i_inline_off);
-	BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
+	printk("pos: %d, len: %d, in: %p, iis: %d, %s\n", pos, len, inode, EXT4_I(inode)->i_inline_size, __func__);
+	if (EXT4_I(inode)->i_inline_size > 0)
+		BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
 
 	raw_inode = ext4_raw_inode(iloc);
 	buffer += pos;
@@ -314,6 +317,7 @@ static int ext4_create_inline_data(handle_t *handle,
 	EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
 				      (void *)ext4_raw_inode(&is.iloc));
 	EXT4_I(inode)->i_inline_size = len + EXT4_MIN_INLINE_DATA_SIZE;
+	printk("len: %d, in: %p, iis: %d, %s\n", len, inode, EXT4_I(inode)->i_inline_size, __func__);
 	ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
 	ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
 	get_bh(is.iloc.bh);
@@ -381,6 +385,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
 				      (void *)ext4_raw_inode(&is.iloc));
 	EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
 				le32_to_cpu(is.s.here->e_value_size);
+	printk("iis: %d, in:%p, %s\n", EXT4_I(inode)->i_inline_size, inode, __func__);
 	ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
 	get_bh(is.iloc.bh);
 	error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
@@ -469,6 +474,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
 
 	EXT4_I(inode)->i_inline_off = 0;
 	EXT4_I(inode)->i_inline_size = 0;
+	printk("iis: %d, in: %p, %s\n", EXT4_I(inode)->i_inline_size, inode, __func__);
 	ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
 out:
 	brelse(is.iloc.bh);
@@ -1979,6 +1985,7 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
 		EXT4_I(inode)->i_inline_size = i_size <
 					EXT4_MIN_INLINE_DATA_SIZE ?
 					EXT4_MIN_INLINE_DATA_SIZE : i_size;
+		printk("isize: %d, in: %p, iis: %d, %s\n", i_size, inode, EXT4_I(inode)->i_inline_size, __func__);
 	}
 
 out_error:


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ