From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, "Ye Bin" <yebin10@huawei.com>,
"Jan Kara" <jack@suse.cz>, "Theodore Tso" <tytso@mit.edu>,
"David Nyström" <david.nystrom@est.tech>
Subject: [PATCH 6.1 16/72] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
Date: Thu, 15 Jan 2026 17:48:26 +0100 [thread overview]
Message-ID: <20260115164144.081804783@linuxfoundation.org> (raw)
In-Reply-To: <20260115164143.482647486@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 5701875f9609b000d91351eaa6bfd97fe2f157f4 ]
There's issue as follows:
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0xbe/0xfd lib/dump_stack.c:123
print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
evict+0x39f/0x880 fs/inode.c:622
iput_final fs/inode.c:1746 [inline]
iput fs/inode.c:1772 [inline]
iput+0x525/0x6c0 fs/inode.c:1758
ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
mount_bdev+0x355/0x410 fs/super.c:1446
legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
do_new_mount fs/namespace.c:2983 [inline]
path_mount+0x119a/0x1ad0 fs/namespace.c:3316
do_mount+0xfc/0x110 fs/namespace.c:3329
__do_sys_mount fs/namespace.c:3540 [inline]
__se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Memory state around the buggy address:
ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4_xattr_delete_inode() isn't check xattr
is valid if xattr is in inode.
To solve above issue call xattr_check_inode() check if xattr if valid
in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
so that there is no divergent verification.
Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250208063141.1539283-3-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 5 +++++
fs/ext4/xattr.c | 26 +-------------------------
fs/ext4/xattr.h | 7 +++++++
3 files changed, 13 insertions(+), 25 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4752,6 +4752,11 @@ static inline int ext4_iget_extra_inode(
*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
int err;
+ err = xattr_check_inode(inode, IHDR(inode, raw_inode),
+ ITAIL(inode, raw_inode));
+ if (err)
+ return err;
+
ext4_set_inode_state(inode, EXT4_STATE_XATTR);
err = ext4_find_inline_data_nolock(inode);
if (!err && ext4_has_inline_data(inode))
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -263,7 +263,7 @@ errout:
__ext4_xattr_check_block((inode), (bh), __func__, __LINE__)
-static int
+int
__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
void *end, const char *function, unsigned int line)
{
@@ -280,9 +280,6 @@ errout:
return error;
}
-#define xattr_check_inode(inode, header, end) \
- __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
-
static int
xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry,
void *end, int name_index, const char *name, int sorted)
@@ -600,9 +597,6 @@ ext4_xattr_ibody_get(struct inode *inode
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
end = ITAIL(inode, raw_inode);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
entry = IFIRST(header);
error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
if (error)
@@ -734,7 +728,6 @@ ext4_xattr_ibody_list(struct dentry *den
struct ext4_xattr_ibody_header *header;
struct ext4_inode *raw_inode;
struct ext4_iloc iloc;
- void *end;
int error;
if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR))
@@ -744,14 +737,9 @@ ext4_xattr_ibody_list(struct dentry *den
return error;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = ITAIL(inode, raw_inode);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
error = ext4_xattr_list_entries(dentry, IFIRST(header),
buffer, buffer_size);
-cleanup:
brelse(iloc.bh);
return error;
}
@@ -819,7 +807,6 @@ int ext4_get_inode_usage(struct inode *i
struct ext4_xattr_ibody_header *header;
struct ext4_xattr_entry *entry;
qsize_t ea_inode_refs = 0;
- void *end;
int ret;
lockdep_assert_held_read(&EXT4_I(inode)->xattr_sem);
@@ -830,10 +817,6 @@ int ext4_get_inode_usage(struct inode *i
goto out;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = ITAIL(inode, raw_inode);
- ret = xattr_check_inode(inode, header, end);
- if (ret)
- goto out;
for (entry = IFIRST(header); !IS_LAST_ENTRY(entry);
entry = EXT4_XATTR_NEXT(entry))
@@ -2197,9 +2180,6 @@ int ext4_xattr_ibody_find(struct inode *
is->s.here = is->s.first;
is->s.end = ITAIL(inode, raw_inode);
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
- error = xattr_check_inode(inode, header, is->s.end);
- if (error)
- return error;
/* Find the named attribute. */
error = xattr_find_entry(inode, &is->s.here, is->s.end,
i->name_index, i->name, 0);
@@ -2750,10 +2730,6 @@ retry:
min_offs = end - base;
total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
-
ifree = ext4_xattr_free_space(base, &min_offs, base, &total_ino);
if (ifree >= isize_diff)
goto shift;
--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -210,6 +210,13 @@ extern int ext4_xattr_ibody_set(handle_t
extern struct mb_cache *ext4_xattr_create_cache(void);
extern void ext4_xattr_destroy_cache(struct mb_cache *);
+extern int
+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
+ void *end, const char *function, unsigned int line);
+
+#define xattr_check_inode(inode, header, end) \
+ __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
+
#ifdef CONFIG_EXT4_FS_SECURITY
extern int ext4_init_security(handle_t *handle, struct inode *inode,
struct inode *dir, const struct qstr *qstr);
next prev parent reply other threads:[~2026-01-15 17:11 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 16:48 [PATCH 6.1 00/72] 6.1.161-rc1 review Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 01/72] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 02/72] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 03/72] btrfs: always detect conflicting inodes when logging inode refs Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 04/72] mei: me: add nova lake point S DID Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 05/72] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 06/72] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 07/72] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 08/72] gpio: rockchip: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 09/72] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 10/72] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 11/72] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 12/72] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 13/72] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 14/72] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 15/72] ext4: introduce ITAIL helper Greg Kroah-Hartman
2026-01-15 16:48 ` Greg Kroah-Hartman [this message]
2026-01-15 16:48 ` [PATCH 6.1 17/72] net: Add locking to protect skb->dev access in ip_output Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 18/72] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 19/72] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 20/72] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 21/72] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 22/72] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 23/72] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 24/72] smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 25/72] smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 26/72] smb/client: fix NT_STATUS_NO_DATA_DETECTED value Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 27/72] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 28/72] scsi: ufs: core: Fix EH failure after W-LUN resume error Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 29/72] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 30/72] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 31/72] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 32/72] arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 33/72] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 34/72] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 35/72] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 36/72] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 37/72] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 38/72] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 39/72] inet: ping: Fix icmp out counting Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 40/72] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 41/72] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 42/72] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 43/72] net: wwan: iosm: Fix memory leak in ipc_mux_deinit() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 44/72] eth: bnxt: move and rename reset helpers Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 45/72] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 46/72] net: fix memory leak in skb_segment_list for GRO packets Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 47/72] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 48/72] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.1 49/72] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 50/72] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 51/72] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 52/72] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 53/72] mm/pagewalk: add walk_page_range_vma() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 54/72] ksm: use range-walk function to jump over holes in scan_get_next_rmap_item Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 55/72] ALSA: ac97bus: Use guard() for mutex locks Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 56/72] ALSA: ac97: fix a double free in snd_ac97_controller_register() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 57/72] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 58/72] NFS: trace: show TIMEDOUT instead of 0x6e Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 59/72] nfs_common: factor out nfs_errtbl and nfs_stat_to_errno Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 60/72] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 61/72] bpf: Fix an issue in bpf_prog_test_run_xdp when page size greater than 4K Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 62/72] bpf: Make variables in bpf_prog_test_run_xdp less confusing Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 63/72] bpf: Support specifying linear xdp packet data size for BPF_PROG_TEST_RUN Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 64/72] bpf, test_run: Subtract size of xdp_frame from allowed metadata size Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 65/72] bpf: Fix reference count leak in bpf_prog_test_run_xdp() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 66/72] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 67/72] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 68/72] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 69/72] ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025 Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 70/72] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 71/72] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 6.1 72/72] bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path Greg Kroah-Hartman
2026-01-15 19:15 ` [PATCH 6.1 00/72] 6.1.161-rc1 review Brett A C Sheffield
2026-01-15 19:36 ` Slade Watkins
2026-01-15 22:14 ` Florian Fainelli
2026-01-16 7:55 ` Francesco Dolcini
2026-01-16 9:14 ` Peter Schneider
2026-01-16 10:22 ` Ron Economos
2026-01-16 10:33 ` Jon Hunter
2026-01-16 15:39 ` Mark Brown
2026-01-16 17:44 ` Hardik Garg
2026-01-16 19:28 ` Shuah Khan
2026-01-17 14:35 ` Miguel Ojeda
2026-01-19 11:10 ` Jeffrin Thalakkottoor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260115164144.081804783@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=david.nystrom@est.tech \
--cc=jack@suse.cz \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.