1. Patchew
  2. linux
  3. View series

[PATCH v2] Fix: ext4: guard against EA inode refcount underflow in xattr update

Ahmet Eray Karadag posted 1 patch 1 week, 5 days ago 
fs/ext4/xattr.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
[PATCH v2] Fix: ext4: guard against EA inode refcount underflow in xattr update
Posted by Ahmet Eray Karadag 1 week, 5 days ago 
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:

  EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
  EXT4-fs warning: ea_inode dec ref err=-117

Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().

This prevents the underflow and the follow-on orphan/cleanup churn.

Reported-by: syzbot+0be4f339a8218d2a5bb1@syzkaller.appspotmail.com
Fixes: https://syzbot.org/bug?extid=0be4f339a8218d2a5bb1
Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
---
v2:
 - Move underflow guard before the update
 - Add overflow guard for the opposite case
 - Use u64 type instead s64, since ext4_xattr_inode_update_ref() returns u64 and ext4_xattr_inode_set_ref() expects u64.

---
 fs/ext4/xattr.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 5a6fe1513fd2..a510693e04ac 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1019,7 +1019,7 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
 				       int ref_change)
 {
 	struct ext4_iloc iloc;
-	s64 ref_count;
+	u64 ref_count;
 	int ret;
 
 	inode_lock_nested(ea_inode, I_MUTEX_XATTR);
@@ -1029,13 +1029,17 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
 		goto out;
 
 	ref_count = ext4_xattr_inode_get_ref(ea_inode);
+	if ((ref_count == 0 && ref_change < 0) || (ref_count == U64_MAX && ref_change > 0)) {
+		ext4_error_inode(ea_inode, __func__, __LINE__, 0,
+			"EA inode %lu ref wraparound: ref_count=%lld ref_change=%d",
+			ea_inode->i_ino, ref_count, ref_change);
+		ret = -EFSCORRUPTED;
+		goto out;
+	}
 	ref_count += ref_change;
 	ext4_xattr_inode_set_ref(ea_inode, ref_count);
 
 	if (ref_change > 0) {
-		WARN_ONCE(ref_count <= 0, "EA inode %lu ref_count=%lld",
-			  ea_inode->i_ino, ref_count);
-
 		if (ref_count == 1) {
 			WARN_ONCE(ea_inode->i_nlink, "EA inode %lu i_nlink=%u",
 				  ea_inode->i_ino, ea_inode->i_nlink);
@@ -1044,9 +1048,6 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
 			ext4_orphan_del(handle, ea_inode);
 		}
 	} else {
-		WARN_ONCE(ref_count < 0, "EA inode %lu ref_count=%lld",
-			  ea_inode->i_ino, ref_count);
-
 		if (ref_count == 0) {
 			WARN_ONCE(ea_inode->i_nlink != 1,
 				  "EA inode %lu i_nlink=%u",
-- 
2.34.1
Re: [PATCH v2] Fix: ext4: guard against EA inode refcount underflow in xattr update
Posted by Theodore Ts'o 5 days, 7 hours ago 
On Sat, 20 Sep 2025 05:13:43 +0300, Ahmet Eray Karadag wrote:
> syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
> inode refcount that is already <= 0 and then applies ref_change (often
> -1). That lets the refcount underflow and we proceed with a bogus value,
> triggering errors like:
> 
>   EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
>   EXT4-fs warning: ea_inode dec ref err=-117
> 
> [...]

Applied, thanks!

[1/1] Fix: ext4: guard against EA inode refcount underflow in xattr update
      commit: 57295e835408d8d425bef58da5253465db3d6888

Best regards,
-- 
Theodore Ts'o <tytso@mit.edu>
Re: [PATCH v2] Fix: ext4: guard against EA inode refcount underflow in xattr update
Posted by Darrick J. Wong 1 week, 1 day ago 
On Sat, Sep 20, 2025 at 05:13:43AM +0300, Ahmet Eray Karadag wrote:
> syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
> inode refcount that is already <= 0 and then applies ref_change (often
> -1). That lets the refcount underflow and we proceed with a bogus value,
> triggering errors like:
> 
>   EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
>   EXT4-fs warning: ea_inode dec ref err=-117
> 
> Make the invariant explicit: if the current refcount is non-positive,
> treat this as on-disk corruption, emit ext4_error_inode(), and fail the
> operation with -EFSCORRUPTED instead of updating the refcount. Delete the
> WARN_ONCE() as negative refcounts are now impossible; keep error reporting
> in ext4_error_inode().
> 
> This prevents the underflow and the follow-on orphan/cleanup churn.
> 
> Reported-by: syzbot+0be4f339a8218d2a5bb1@syzkaller.appspotmail.com
> Fixes: https://syzbot.org/bug?extid=0be4f339a8218d2a5bb1
> Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
> Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
> Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
> ---
> v2:
>  - Move underflow guard before the update
>  - Add overflow guard for the opposite case
>  - Use u64 type instead s64, since ext4_xattr_inode_update_ref() returns u64 and ext4_xattr_inode_set_ref() expects u64.
> 
> ---
>  fs/ext4/xattr.c | 15 ++++++++-------
>  1 file changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
> index 5a6fe1513fd2..a510693e04ac 100644
> --- a/fs/ext4/xattr.c
> +++ b/fs/ext4/xattr.c
> @@ -1019,7 +1019,7 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
>  				       int ref_change)
>  {
>  	struct ext4_iloc iloc;
> -	s64 ref_count;
> +	u64 ref_count;
>  	int ret;
>  
>  	inode_lock_nested(ea_inode, I_MUTEX_XATTR);
> @@ -1029,13 +1029,17 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
>  		goto out;
>  
>  	ref_count = ext4_xattr_inode_get_ref(ea_inode);
> +	if ((ref_count == 0 && ref_change < 0) || (ref_count == U64_MAX && ref_change > 0)) {

/me wonders if you could use check_add_overflow for this, but otherwise
everthing looks fine to me...

> +		ext4_error_inode(ea_inode, __func__, __LINE__, 0,
> +			"EA inode %lu ref wraparound: ref_count=%lld ref_change=%d",

Nit: %llu since ref_count is now unsigned.

> +			ea_inode->i_ino, ref_count, ref_change);
> +		ret = -EFSCORRUPTED;
> +		goto out;
> +	}
>  	ref_count += ref_change;
>  	ext4_xattr_inode_set_ref(ea_inode, ref_count);
>  
>  	if (ref_change > 0) {
> -		WARN_ONCE(ref_count <= 0, "EA inode %lu ref_count=%lld",
> -			  ea_inode->i_ino, ref_count);
> -
>  		if (ref_count == 1) {
>  			WARN_ONCE(ea_inode->i_nlink, "EA inode %lu i_nlink=%u",
>  				  ea_inode->i_ino, ea_inode->i_nlink);

...though while you're modifying the precondition checking here, I think
these i_nlink preconditions should also be hoisted to the top and cause
an EFSCORRUPTED return on bad inputs.

--D

> @@ -1044,9 +1048,6 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
>  			ext4_orphan_del(handle, ea_inode);
>  		}
>  	} else {
> -		WARN_ONCE(ref_count < 0, "EA inode %lu ref_count=%lld",
> -			  ea_inode->i_ino, ref_count);
> -
>  		if (ref_count == 0) {
>  			WARN_ONCE(ea_inode->i_nlink != 1,
>  				  "EA inode %lu i_nlink=%u",
> -- 
> 2.34.1
> 
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.