[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4962e5a0-a03e-4e9a-8f8e-5db04504c30e@huaweicloud.com>
Date: Thu, 9 Oct 2025 10:11:00 +0800
From: Zhang Yi <yi.zhang@...weicloud.com>
To: Deepanshu Kartikey <kartikey406@...il.com>
Cc: tytso@....edu, adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+038b7bf43423e132b308@...kaller.appspotmail.com,
Zhang Yi <yi.zhang@...wei.com>
Subject: Re: [PATCH v4] ext4: detect invalid INLINE_DATA + EXTENTS flag
combination
On 9/30/2025 7:28 PM, Deepanshu Kartikey wrote:
> syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity
> file on a corrupted ext4 filesystem mounted without a journal.
>
> The issue is that the filesystem has an inode with both the INLINE_DATA
> and EXTENTS flags set:
>
> EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
> comm syz.0.17: corrupted extent tree: lblk 0 < prev 66
>
> Investigation revealed that the inode has both flags set:
> DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1
>
> This is an invalid combination since an inode should have either:
> - INLINE_DATA: data stored directly in the inode
> - EXTENTS: data stored in extent-mapped blocks
>
> Having both flags causes ext4_has_inline_data() to return true, skipping
> extent tree validation in __ext4_iget(). The unvalidated out-of-order
> extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer
> underflow when calculating hole sizes.
>
> Fix this by detecting this invalid flag combination early in ext4_iget()
> and rejecting the corrupted inode.
>
> Reported-and-tested-by: syzbot+038b7bf43423e132b308@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=038b7bf43423e132b308
> Suggested-by: Zhang Yi <yi.zhang@...wei.com>
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
Thanks for the fix, it looks good to me.
Reviewed-by: Zhang Yi <yi.zhang@...wei.com>
>
> ---
> Changes in v4:
> - Move check to right after ext4_set_inode_flags() as suggested by Zhang Yi,
> since we're checking flags directly (not ext4_has_inline_data() return value)
>
> Changes in v3:
> - Fix code alignment and use existing function/line variables per Zhang Yi
>
> Changes in v2:
> - Instead of adding validation in ext4_find_extent(), detect the invalid
> INLINE_DATA + EXTENTS flag combination in ext4_iget() as suggested by
> Zhang Yi to avoid redundant checks in the extent lookup path
> ---
> fs/ext4/inode.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 5b7a15db4953..2fef378dbc97 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -5348,6 +5348,14 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
> }
> ei->i_flags = le32_to_cpu(raw_inode->i_flags);
> ext4_set_inode_flags(inode, true);
> + /* Detect invalid flag combination - can't have both inline data and extents */
> + if (ext4_test_inode_flag(inode, EXT4_INODE_INLINE_DATA) &&
> + ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) {
> + ext4_error_inode(inode, function, line, 0,
> + "inode has both inline data and extents flags");
> + ret = -EFSCORRUPTED;
> + goto bad_inode;
> + }
> inode->i_blocks = ext4_inode_blocks(raw_inode, ei);
> ei->i_file_acl = le32_to_cpu(raw_inode->i_file_acl_lo);
> if (ext4_has_feature_64bit(sb))
Powered by blists - more mailing lists