Ye Bin
27202452b0
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
[ Upstream commit 5701875f96 ]
There's issue as follows:
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0xbe/0xfd lib/dump_stack.c:123
print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
evict+0x39f/0x880 fs/inode.c:622
iput_final fs/inode.c:1746 [inline]
iput fs/inode.c:1772 [inline]
iput+0x525/0x6c0 fs/inode.c:1758
ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
mount_bdev+0x355/0x410 fs/super.c:1446
legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
do_new_mount fs/namespace.c:2983 [inline]
path_mount+0x119a/0x1ad0 fs/namespace.c:3316
do_mount+0xfc/0x110 fs/namespace.c:3329
__do_sys_mount fs/namespace.c:3540 [inline]
__se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Memory state around the buggy address:
ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4_xattr_delete_inode() isn't check xattr
is valid if xattr is in inode.
To solve above issue call xattr_check_inode() check if xattr if valid
in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
so that there is no divergent verification.
Fixes: e50e5129f3 ("ext4: xattr-in-inode support")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250208063141.1539283-3-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-01-19 13:12:09 +01:00
..
2023-05-17 11:47:32 +02:00
2023-11-28 16:55:01 +00:00
2025-06-04 14:37:00 +02:00
2017-11-02 11:10:55 +01:00
2025-05-02 07:41:20 +02:00
2025-04-10 14:31:02 +02:00
2020-06-03 23:16:49 -04:00
2022-01-27 10:54:28 +01:00
2020-06-03 23:16:53 -04:00
2025-10-29 14:01:15 +01:00
2024-08-19 05:40:50 +02:00
2024-03-15 10:48:20 -04:00
2025-06-27 11:04:16 +01:00
2023-01-14 10:16:51 +01:00
2023-01-14 10:16:51 +01:00
2025-06-27 11:04:13 +01:00
2025-10-29 14:01:13 +01:00
2017-12-17 22:00:59 -05:00
2020-11-06 23:01:05 -05:00
2020-10-28 13:43:13 -04:00
2024-10-17 15:07:51 +02:00
2025-08-28 16:22:56 +02:00
2026-01-19 13:11:25 +01:00
2020-01-09 16:42:29 -07:00
2026-01-19 13:12:09 +01:00
2025-06-27 11:04:16 +01:00
2021-03-04 11:38:15 +01:00
2020-10-21 23:22:26 -04:00
2026-01-19 13:11:48 +01:00
2024-12-14 19:48:08 +01:00
2024-10-17 15:08:17 +02:00
2023-05-30 12:57:47 +01:00
2026-01-19 13:11:30 +01:00
2025-05-02 07:40:54 +02:00
2024-09-12 11:06:42 +02:00
2020-08-21 11:03:38 -07:00
2024-04-13 12:58:28 +02:00
2026-01-19 13:12:02 +01:00
2021-09-08 08:48:59 +02:00
2023-05-30 12:57:47 +01:00
2018-07-29 17:00:22 -04:00
2023-01-14 10:16:43 +01:00
2020-06-12 13:23:34 -04:00
2018-05-10 11:52:14 -04:00
2017-11-02 11:10:55 +01:00
2017-11-02 11:10:55 +01:00
2026-01-19 13:12:09 +01:00
2026-01-19 13:12:09 +01:00