From f4baf29ec7942e89f010133d7e848ba69d7f77f1 Mon Sep 17 00:00:00 2001
From: Nicolas Bretz <bretznic@gmail.com>
Date: Fri, 22 Nov 2024 08:23:38 -0700
Subject: [PATCH] ext4: kernel BUG in ext4_write_inline_data

kernel BUG at fs/ext4/inline.c:235!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI

Reported-by: syzbot+fe2a25dae02a207717a0@syzkaller.appspotmail.com
Signed-off-by: Nicolas Bretz <bretznic@gmail.com>
---
 fs/ext4/ext4.h   | 6 ++++++
 fs/ext4/inline.c | 2 +-
 fs/ext4/inode.c  | 3 ++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 44b0d418143c..b9d128243286 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3562,6 +3562,12 @@ extern int ext4_get_max_inline_size(struct inode *inode);
 extern int ext4_find_inline_data_nolock(struct inode *inode);
 extern int ext4_destroy_inline_data(handle_t *handle, struct inode *inode);
 
+static inline bool ext4_inline_possible(struct inode *inode,
+					loff_t pos, unsigned int len)
+{
+	return pos + len <= ext4_get_max_inline_size(inode);
+}
+
 int ext4_readpage_inline(struct inode *inode, struct folio *folio);
 extern int ext4_try_to_write_inline_data(struct address_space *mapping,
 					 struct inode *inode,
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 3536ca7e4fcc..ec25f066a2c2 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -668,7 +668,7 @@ int ext4_try_to_write_inline_data(struct address_space *mapping,
 	struct folio *folio;
 	struct ext4_iloc iloc;
 
-	if (pos + len > ext4_get_max_inline_size(inode))
+	if (!ext4_inline_possible(inode, pos, len))
 		goto convert;
 
 	ret = ext4_get_inode_loc(inode, &iloc);
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 54bdd4884fe6..d4c0e0a42b8e 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3061,7 +3061,8 @@ static int ext4_da_write_end(struct file *file,
 
 	if (write_mode != CONVERT_INLINE_DATA &&
 	    ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA) &&
-	    ext4_has_inline_data(inode))
+	    ext4_has_inline_data(inode) &&
+	    ext4_inline_possible(inode, pos, len))
 		return ext4_write_inline_data_end(inode, pos, len, copied,
 						  folio);
 
-- 
2.39.5