[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20251008123418.GK386127@mit.edu>
Date: Wed, 8 Oct 2025 08:34:18 -0400
From: "Theodore Ts'o" <tytso@....edu>
To: Ahmet Eray Karadag <eraykrdg1@...il.com>
Cc: adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
linux-kernel@...r.kernel.org, david.hunter.linux@...il.com,
skhan@...uxfoundation.org,
syzbot+f3185be57d7e8dda32b8@...kaller.appspotmail.com,
Albin Babu Varghese <albinbabuvarghese20@...il.com>
Subject: Re: [PATCH] Fix: ext4: add sanity check for inode inline write range
On Wed, Oct 08, 2025 at 02:42:22AM +0300, Ahmet Eray Karadag wrote:
> Add a simple check in ext4_try_to_write_inline_data() to prevent
> writes that extend past the inode's inline data area. The function
> now returns -EINVAL if pos + len exceeds i_inline_size.
The commit description doesn't match with what the patch does. The
patch changes ext4_write_inline_data_end() and not
ext4_try_to_write_inline(). Ext4_try_to_write_inline_data() called
from ext4_write_begin(), and it does this:
if (pos + len > ext4_get_max_inline_size(inode))
return ext4_convert_inline_data_to_extent(mapping, inode);
So the write extends past the inline data area, in ext4_write_begin(),
it will have already been converted to a non-inline function.
The ext4_write_inline_data_end() function is called from
ext4_write_end(), so you need to figure out why we hadn't configured
the file away from inline data in ext4_write_begin().
> Reported-by: syzbot+f3185be57d7e8dda32b8@...kaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8
Did you just randomly bash the code until the syzbot reproducer
stopped failing? Please try to understand the code and the failure
much more deeply before attempting to change the code.
Cheers,
- Ted
Powered by blists - more mailing lists