From nobody Sun Feb 8 07:58:44 2026 Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B75F14A616; Wed, 21 Aug 2024 15:23:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.60.130.6 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253831; cv=none; b=ceK4GD1+2CSJjPu9P0/7jAZJdMkS5eaIxvHP8I8DMkPLU15lztEXdMFbxPgQdwpDOmL6t9IiEC92OSKkAioHZUOtDtU0b56UYOWOrEOQXhrz9Cs4zNU3+qLsyTt3NXZlzCeCuvXxNWkhiEgdxUQOzXioW1JY3yAN6GM4MhYi0+0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253831; c=relaxed/simple; bh=PV3LTyk/h1H/t/vq5CFcNW6yFGdHWroQo8CUz8eyEQo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Enw71yJGI8tpmbOw5HkNjzxUJQ7oHaLzJl4riXFTZ+CaDNwVn/SA3DMYLLSk1/XSIhGdg/YDIItCAoQhqnOAyb+k9RNnc4goCEjWQRoR3yk8ZIW8Odl+MiG2ANxM/C2oXzpoloM1lxI3vUXm3WweraRC/zx77tJ+r5ucT1dxjWI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com; spf=pass smtp.mailfrom=igalia.com; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b=KATOPcYA; arc=none smtp.client-ip=178.60.130.6 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=igalia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b="KATOPcYA" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=D9fChryXthG3wcw0LMI3xnsVZzO17Nv2/ZJYCPg57RU=; b=KATOPcYA5kffn8GNz2cAKcn+ew GnK5PngGp/ttrFwhYoM9/HwaOJTJn0PqgkYCD54yw4giop8jlwJjub8xbdaAYUv7TiLG7/O/5fro9 cZ6uEdQvS7DLD2kk64vPHFe7TE3DuWCbR2Yfgpo+qivmL/0WjEQ9LNhNb1wA9LU+FyErxSY8kVmB+ W53qCdlK1sbmcQ9vD2Ntojdl4eUba/lW4GoghPAUuyWvXtVnxDjGLg+mz9LgqLlHJ/4nyjddIM/Qc j6Kyigvz28fGhAk/bzdtaKdKcvGnk5MlOrBjXgc9vzkwNV6+73dYZfuxjRk9OYdLYmUfCYFehDUWO gW2QGHqQ==; Received: from 179-125-75-209-dinamico.pombonet.net.br ([179.125.75.209] helo=quatroqueijos.lan) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1sgnBZ-0034iV-PM; Wed, 21 Aug 2024 17:23:45 +0200 From: Thadeu Lima de Souza Cascardo To: linux-ext4@vger.kernel.org Cc: Theodore Ts'o , linux-kernel@vger.kernel.org, Tao Ma , Andreas Dilger , kernel-dev@igalia.com, Thadeu Lima de Souza Cascardo Subject: [PATCH 1/4] ext4: ext4_search_dir should return a proper error Date: Wed, 21 Aug 2024 12:23:21 -0300 Message-Id: <20240821152324.3621860-2-cascardo@igalia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240821152324.3621860-1-cascardo@igalia.com> References: <20240821152324.3621860-1-cascardo@igalia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ext4_search_dir currently returns -1 in case of a failure, while it returns 0 when the name is not found. In such failure cases, it should return an error code instead. This becomes even more important when ext4_find_inline_entry returns an error code as well in the next commit. -EFSCORRUPTED seems appropriate as such error code as these failures would be caused by unexpected record lengths and is in line with other instances of ext4_check_dir_entry failures. In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was left as is to reduce the risk of regressions. Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/ext4/namei.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 6a95713f9193..8af437ac3051 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1482,7 +1482,7 @@ static bool ext4_match(struct inode *parent, } =20 /* - * Returns 0 if not found, -1 on failure, and 1 on success + * Returns 0 if not found, -EFSCORRUPTED on failure, and 1 on success */ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size, struct inode *dir, struct ext4_filename *fname, @@ -1503,7 +1503,7 @@ int ext4_search_dir(struct buffer_head *bh, char *sea= rch_buf, int buf_size, * a full check */ if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf, buf_size, offset)) - return -1; + return -EFSCORRUPTED; *res_dir =3D de; return 1; } @@ -1511,7 +1511,7 @@ int ext4_search_dir(struct buffer_head *bh, char *sea= rch_buf, int buf_size, de_len =3D ext4_rec_len_from_disk(de->rec_len, dir->i_sb->s_blocksize); if (de_len <=3D 0) - return -1; + return -EFSCORRUPTED; offset +=3D de_len; de =3D (struct ext4_dir_entry_2 *) ((char *) de + de_len); } @@ -1663,8 +1663,10 @@ static struct buffer_head *__ext4_find_entry(struct = inode *dir, goto cleanup_and_exit; } else { brelse(bh); - if (i < 0) + if (i < 0) { + ret =3D ERR_PTR(i); goto cleanup_and_exit; + } } next: if (++block >=3D nblocks) @@ -1758,7 +1760,7 @@ static struct buffer_head * ext4_dx_find_entry(struct= inode *dir, if (retval =3D=3D 1) goto success; brelse(bh); - if (retval =3D=3D -1) { + if (retval < 0) { bh =3D ERR_PTR(ERR_BAD_DX_DIR); goto errout; } --=20 2.34.1 From nobody Sun Feb 8 07:58:44 2026 Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8EB9B14D446; Wed, 21 Aug 2024 15:23:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.60.130.6 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253834; cv=none; b=YrPOiguOKHozy6bYxjP7bXHg9FajnzRbYiufXhRZ5jwHLhftEwtRGLF2WU6QpxZBUgi+9mYSHCBlLuMgMSEcG020DgDCCon3SY/D46SvturFDD0dIRfZyN4uhK0M0phN7SKkQAYN2gkGxthmobEq04QFCddtkngeeBxZR4OjfP8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253834; c=relaxed/simple; bh=eLX+HnBOZZysohoQkdehuCZ8E4AhIA+hbL1gYQrz0Ig=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=iGoUDDaLONpvSR1maYCXf/zgwDZ13bQ1aYFYLfE/fPTWerIkRCsoy6NkROao6JXemeekrWP0prTZKh9DIja30nBYohqB+6ynVRlyIR0hGLLWu5XfQMTJ4fKa9wkL6VuCEFyecqKzjYTr0xBTEoeTK+vCEhM8QtUO0DBbp9ptq2M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com; spf=pass smtp.mailfrom=igalia.com; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b=IXFxnzKo; arc=none smtp.client-ip=178.60.130.6 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=igalia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b="IXFxnzKo" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Yietb1rV6uF5doHrg/u8VKbYC0LJEWRDRAAuODOefGY=; b=IXFxnzKoIaKb35Lv1tRUTsYEdN 4WqxFOtphSO137aZVCNrPo7nzQDUmh5m025dMjqjgKbZeyn8WfvbSAAqc29LJYHy4wYscy+dCDvUm yHtivqVzpAryLEQDPHkUF5Z7vVLm0FvFdXwSZhtenUEncR+wq9trb4NoblECbkijqJgixBr4zes/D SQZyf7W6txA549QUyGG7CkpiN3luy7KOdTA5oObNYo6Tj8YpGqOWbcyKWmHnC2n4eRk9kJkiC/RVy JogJWJiJ/0EMRoIOnaYNROh59SQ3g77v+IF74sWPlml30EVzyljxkk7ttKDi63gd0/WY5rR8GaySe RRuWTEpQ==; Received: from 179-125-75-209-dinamico.pombonet.net.br ([179.125.75.209] helo=quatroqueijos.lan) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1sgnBc-0034iV-HC; Wed, 21 Aug 2024 17:23:48 +0200 From: Thadeu Lima de Souza Cascardo To: linux-ext4@vger.kernel.org Cc: Theodore Ts'o , linux-kernel@vger.kernel.org, Tao Ma , Andreas Dilger , kernel-dev@igalia.com, Thadeu Lima de Souza Cascardo Subject: [PATCH 2/4] ext4: return error on ext4_find_inline_entry Date: Wed, 21 Aug 2024 12:23:22 -0300 Message-Id: <20240821152324.3621860-3-cascardo@igalia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240821152324.3621860-1-cascardo@igalia.com> References: <20240821152324.3621860-1-cascardo@igalia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In case of errors when reading an inode from disk or traversing inline directory entries, return an error-encoded ERR_PTR instead of returning NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns such encoded errors. Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/ext4/inline.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index e7a09a99837b..7b98b1bf1dc9 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -1669,8 +1669,9 @@ struct buffer_head *ext4_find_inline_entry(struct ino= de *dir, void *inline_start; int inline_size; =20 - if (ext4_get_inode_loc(dir, &iloc)) - return NULL; + ret =3D ext4_get_inode_loc(dir, &iloc); + if (ret) + return ERR_PTR(ret); =20 down_read(&EXT4_I(dir)->xattr_sem); if (!ext4_has_inline_data(dir)) { @@ -1701,7 +1702,10 @@ struct buffer_head *ext4_find_inline_entry(struct in= ode *dir, =20 out: brelse(iloc.bh); - iloc.bh =3D NULL; + if (ret < 0) + iloc.bh =3D ERR_PTR(ret); + else + iloc.bh =3D NULL; out_find: up_read(&EXT4_I(dir)->xattr_sem); return iloc.bh; --=20 2.34.1 From nobody Sun Feb 8 07:58:44 2026 Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 021E814F13D; Wed, 21 Aug 2024 15:23:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.60.130.6 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253834; cv=none; b=CE7U3aSvmJqLOIJtPhJjN2TOzlhmHSAXrzlypp0w/FCAWS/ivH73iJLNPHTDigWMUNrcN8t2updE0Oe9QH/Wg4nhWgPyFGLLs9MkZY6eKZaJnXh8zO6tkIN9yWJlJD7aZWvuHV5WnxuW3KNI7anG3Ldgp6UkTiPY03B35+9el4Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253834; c=relaxed/simple; bh=QyCqOSv9jnU4mFDuKIKKzFt7TqO8NLqQzRkCdd8cDYk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=PH30AC2ab0JrWGDAMVYQRv8KbwNv6G0Rdl6G77Vzf+uKZmqOt82npE9tOkEokv0HNhejPuD+XDn8eaDk2xiRwVjC3YwiVSgjLcNDCkeDKwO3VXnQF7rEF+2ICosPJ34KUg5JtLEMSLD88GkaJtTP6npvdltNLZoNCWTREK0hZOE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com; spf=pass smtp.mailfrom=igalia.com; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b=P/4shjX+; arc=none smtp.client-ip=178.60.130.6 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=igalia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b="P/4shjX+" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6vucnojoH+K+eYi4RGeyyfo5w7jzhfwRCHURdkiioqo=; b=P/4shjX+h+WizWkk8iIGJYrAw5 y9QYUGOkiFfMSBYXfdPcGCcdcZsn3wIMAPJ5dlh8tWLbcST9UUwZWgRVnhrgSS7oRdNVLtUl9Cbwl xCkd9lAzAm4KW4RP5rhnMC+BYi/tlRPbOrBUabptxL1HaAjNeZX+hDq/WHPyjh8SKwThQ6oECmUad 2HkzySOURHb8usF0ARPicnP2GqbKdalBajOZIGekAel7HpvJy/VI64tCeLSLWtZiV505jczUeL3rw 0zh0N9jbtZ0m/ZHZ+r6K1J5UyLF+NcBJXUtYffflTJ56iLyvEVxyZNMz7LYkmc0qtJQyHR/iDiaDn X3EC7vpw==; Received: from 179-125-75-209-dinamico.pombonet.net.br ([179.125.75.209] helo=quatroqueijos.lan) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1sgnBf-0034iV-9b; Wed, 21 Aug 2024 17:23:51 +0200 From: Thadeu Lima de Souza Cascardo To: linux-ext4@vger.kernel.org Cc: Theodore Ts'o , linux-kernel@vger.kernel.org, Tao Ma , Andreas Dilger , kernel-dev@igalia.com, Thadeu Lima de Souza Cascardo Subject: [PATCH 3/4] ext4: explicitly exit when ext4_find_inline_entry returns an error Date: Wed, 21 Aug 2024 12:23:23 -0300 Message-Id: <20240821152324.3621860-4-cascardo@igalia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240821152324.3621860-1-cascardo@igalia.com> References: <20240821152324.3621860-1-cascardo@igalia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __ext4_find_entry currently ignores the return of ext4_find_inline_entry, except for returning the bh or NULL when has_inline_data is 1. Even though has_inline_data is set to 1 before calling ext4_find_inline_entry and would only be set to 0 when that function returns NULL, check for an encoded error return explicitly in order to exit. That makes the code more readable, not requiring that one assumes the cases when has_inline_data is 1. Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/ext4/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 8af437ac3051..14163b32eddb 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1574,7 +1574,7 @@ static struct buffer_head *__ext4_find_entry(struct i= node *dir, &has_inline_data); if (inlined) *inlined =3D has_inline_data; - if (has_inline_data) + if (has_inline_data || IS_ERR(ret)) goto cleanup_and_exit; } =20 --=20 2.34.1 From nobody Sun Feb 8 07:58:44 2026 Received: from fanzine2.igalia.com (fanzine.igalia.com [178.60.130.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C81415381C; Wed, 21 Aug 2024 15:23:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.60.130.6 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253838; cv=none; b=gIRnjs6e3OOFyuNHnUl7OmQN+ic8O1Z/Y7Nj0huNW0E3Ucj/smrgB7ElyxViUGp/4DwnPsUQys8q+21zmX6mNgFmwqpvelbOETREc262Ta4lXXk+PNmZKaEqKhB16PN7AsHYJOXd1DwfYjx2tAc8EJD1TfbbePb4vnoyez8i/Dc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724253838; c=relaxed/simple; bh=5BsHw2kYHnsz/r6of4wdwt+9bFTxxskxWt0Tv6wYjbA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ecghUvoqp/lPoac6zW6x2DsBleh6H0hUqtxq+7T94OwRWoUnCB+Vld7NhfyRDYODmyZirhBGJ9/wBVhnlixyotQGos5/tCaxoC7eoAmiffP3KyEQkL/VhtxX+xad37bcXeF79MLfEFXFaZMW9iZ2n+NqkMuPbjpS7cMke5nul+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com; spf=pass smtp.mailfrom=igalia.com; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b=gN/+mpPD; arc=none smtp.client-ip=178.60.130.6 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=igalia.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=igalia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b="gN/+mpPD" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tnW4fUEYIqoKL4+ireuq+NgRn+HNA1V4t/qdy5l68Ns=; b=gN/+mpPD1uP3NN4dlsZMgU62/q XeFzP80BStqiAXSz548tZTrdD8O76cNDGN8b7NtE20/RortV6pLDJmAN0bvqW9xjaiDoHBGlfzxGX 1XPmfiW4GSxCheZ/1qEGuK+90Ebcmfbcbt6dHv5s47r66jGYs2xx0+Zx5fffuo/Mbcomjh/0Ic5Yu xPU1HVQ9sSvr8noC427hDwfBSlG+ytxifxekXRcHbtIYYF+MiZaxZ+o1nhS53KLm9daBCH9Do9ota dk682/TyJLit3H1f1nDaA6MNOPTjw/LHtBmGHJkyPKHdx7lzo6nxqehglqmYUNWrjjCnwWETCJFRm PKM8O10A==; Received: from 179-125-75-209-dinamico.pombonet.net.br ([179.125.75.209] helo=quatroqueijos.lan) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1sgnBi-0034iV-DH; Wed, 21 Aug 2024 17:23:54 +0200 From: Thadeu Lima de Souza Cascardo To: linux-ext4@vger.kernel.org Cc: Theodore Ts'o , linux-kernel@vger.kernel.org, Tao Ma , Andreas Dilger , kernel-dev@igalia.com, Thadeu Lima de Souza Cascardo , syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com Subject: [PATCH 4/4] ext4: avoid OOB when system.data xattr changes underneath the filesystem Date: Wed, 21 Aug 2024 12:23:24 -0300 Message-Id: <20240821152324.3621860-5-cascardo@igalia.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240821152324.3621860-1-cascardo@igalia.com> References: <20240821152324.3621860-1-cascardo@igalia.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/= w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:15= 00 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkal= ler #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16= .3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 = 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff f= f 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem. Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D0c2508114d912a54ee79 Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data") Signed-off-by: Thadeu Lima de Souza Cascardo --- fs/ext4/inline.c | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c index 7b98b1bf1dc9..44a5f6df59ec 100644 --- a/fs/ext4/inline.c +++ b/fs/ext4/inline.c @@ -1664,25 +1664,36 @@ struct buffer_head *ext4_find_inline_entry(struct i= node *dir, struct ext4_dir_entry_2 **res_dir, int *has_inline_data) { + struct ext4_xattr_ibody_find is =3D { + .s =3D { .not_found =3D -ENODATA, }, + }; + struct ext4_xattr_info i =3D { + .name_index =3D EXT4_XATTR_INDEX_SYSTEM, + .name =3D EXT4_XATTR_SYSTEM_DATA, + }; int ret; - struct ext4_iloc iloc; void *inline_start; int inline_size; =20 - ret =3D ext4_get_inode_loc(dir, &iloc); + ret =3D ext4_get_inode_loc(dir, &is.iloc); if (ret) return ERR_PTR(ret); =20 down_read(&EXT4_I(dir)->xattr_sem); + + ret =3D ext4_xattr_ibody_find(dir, &i, &is); + if (ret) + goto out; + if (!ext4_has_inline_data(dir)) { *has_inline_data =3D 0; goto out; } =20 - inline_start =3D (void *)ext4_raw_inode(&iloc)->i_block + + inline_start =3D (void *)ext4_raw_inode(&is.iloc)->i_block + EXT4_INLINE_DOTDOT_SIZE; inline_size =3D EXT4_MIN_INLINE_DATA_SIZE - EXT4_INLINE_DOTDOT_SIZE; - ret =3D ext4_search_dir(iloc.bh, inline_start, inline_size, + ret =3D ext4_search_dir(is.iloc.bh, inline_start, inline_size, dir, fname, 0, res_dir); if (ret =3D=3D 1) goto out_find; @@ -1692,23 +1703,23 @@ struct buffer_head *ext4_find_inline_entry(struct i= node *dir, if (ext4_get_inline_size(dir) =3D=3D EXT4_MIN_INLINE_DATA_SIZE) goto out; =20 - inline_start =3D ext4_get_inline_xattr_pos(dir, &iloc); + inline_start =3D ext4_get_inline_xattr_pos(dir, &is.iloc); inline_size =3D ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE; =20 - ret =3D ext4_search_dir(iloc.bh, inline_start, inline_size, + ret =3D ext4_search_dir(is.iloc.bh, inline_start, inline_size, dir, fname, 0, res_dir); if (ret =3D=3D 1) goto out_find; =20 out: - brelse(iloc.bh); + brelse(is.iloc.bh); if (ret < 0) - iloc.bh =3D ERR_PTR(ret); + is.iloc.bh =3D ERR_PTR(ret); else - iloc.bh =3D NULL; + is.iloc.bh =3D NULL; out_find: up_read(&EXT4_I(dir)->xattr_sem); - return iloc.bh; + return is.iloc.bh; } =20 int ext4_delete_inline_entry(handle_t *handle, --=20 2.34.1