From: syzbot <syzbot+4c9d23743a2409b80293@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ext4: handle corrupted xattr entries in ext4_xattr_move_to_block
Date: Tue, 23 Sep 2025 01:35:31 -0700 [thread overview]
Message-ID: <68d25bd3.050a0220.139b6.0023.GAE@google.com> (raw)
In-Reply-To: <68c9c3fc.050a0220.3c6139.0e66.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ext4: handle corrupted xattr entries in ext4_xattr_move_to_block
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
During inode expansion, ext4_xattr_move_to_block() can encounter corrupted
xattr entries where e_value_size is zero but e_value_inum is non-zero,
indicating the entry claims to store its value in a separate inode but
has no actual value. This leads to a WARNING in ext4_xattr_block_set()
when it hits WARN_ON_ONCE(!i->value_len).
Add validation in ext4_xattr_move_to_block() to detect this corruption
pattern early and return -EFSCORRUPTED instead of allowing the invalid
data to propagate and trigger warnings.
Reported-by: syzbot+4c9d23743a2409b80293@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=4c9d23743a2409b80293
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ext4/xattr.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 5a6fe1513fd2..cbe06d7e3bb6 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -2607,7 +2607,10 @@ static int ext4_xattr_move_to_block(handle_t *handle, struct inode *inode,
struct ext4_xattr_ibody_header *header = IHDR(inode, raw_inode);
int needs_kvfree = 0;
int error;
-
+ if (value_size == 0 && entry->e_value_inum != 0) {
+ error = -EFSCORRUPTED;
+ goto out;
+ }
is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS);
bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS);
b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS);
--
2.43.0
prev parent reply other threads:[~2025-09-23 8:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-16 20:09 [syzbot] [ext4?] WARNING in ext4_xattr_block_set (3) syzbot
2025-09-23 5:02 ` Forwarded: [PATCH] ext4: skip inode expansion on readonly filesystems syzbot
2025-09-23 6:11 ` Forwarded: [PATCH] Subject: " syzbot
2025-09-23 8:35 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68d25bd3.050a0220.139b6.0023.GAE@google.com \
--to=syzbot+4c9d23743a2409b80293@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.