For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ext4: hold buffer reference in ext4_read_inline_dir to prevent UAF
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Hold an additional buffer reference during ext4_read_inline_data() to
prevent use-after-free. The iloc buffer_head could be freed by another
thread while ext4_read_inline_data() is accessing it, leading to a
use-after-free read.

The fix ensures the buffer remains valid during the critical section:
- get_bh() before calling ext4_read_inline_data() increments refcount
- Even if another thread calls brelse(), refcount stays above zero
- Buffer cannot be freed while we hold the reference
- brelse() after ext4_read_inline_data() decrements refcount safely

Reported-by: syzbot+6986a30df88382d1f7bf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6986a30df88382d1f7bf
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ext4/inline.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 1f6bc05593df..b7dcbef4d5aa 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1395,14 +1395,25 @@ int ext4_read_inline_dir(struct file *file,
 	}
 
 	inline_size = ext4_get_inline_size(inode);
+
+	/*
+	 * Hold an additional reference to the iloc buffer to prevent
+	 * use-after-free. The buffer could be freed by another thread
+	 * during ext4_read_inline_data() if we don't hold a reference.
+	 */
+	get_bh(iloc.bh);
+
 	dir_buf = kmalloc(inline_size, GFP_NOFS);
 	if (!dir_buf) {
 		ret = -ENOMEM;
+		brelse(iloc.bh);
 		up_read(&EXT4_I(inode)->xattr_sem);
 		goto out;
 	}
 
 	ret = ext4_read_inline_data(inode, dir_buf, inline_size, &iloc);
+	brelse(iloc.bh);
+
 	up_read(&EXT4_I(inode)->xattr_sem);
 	if (ret < 0)
 		goto out;
-- 
2.43.0