Forwarded: [PATCH] ext4: add debug printk to trace xattr validation path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ext4: add debug printk to trace xattr validation path
Date: Fri, 27 Mar 2026 06:28:01 -0700	[thread overview]
Message-ID: <69c685e1.050a0220.172bcd.0003.GAE@google.com> (raw)
In-Reply-To: <699b9b6f.a70a0220.2c38d7.0189.GAE@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ext4: add debug printk to trace xattr validation path
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add temporary printk statements to trace the inline xattr validation
code path for debugging syzbot use-after-free in xattr_find_entry().

This helps determine whether __xattr_check_inode() is being called
before ext4_xattr_ibody_get() accesses inline xattr entries, and
what the IFIRST/ITAIL gap values are at each stage.

Not for upstream submission - debug only.

Reported-by: syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fb32afec111a7d61b939
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ext4/inode.c | 4 ++++
 fs/ext4/xattr.c | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 396dc3a5d16b..af3a6992bf20 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5331,11 +5331,15 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
 
 	if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) {
 		if (ei->i_extra_isize == 0) {
+			 printk("DEBUG: inode %lu: i_extra_isize == 0, skipping xattr check\n",
+               inode->i_ino);
 			/* The extra space is currently unused. Use it. */
 			BUILD_BUG_ON(sizeof(struct ext4_inode) & 3);
 			ei->i_extra_isize = sizeof(struct ext4_inode) -
 					    EXT4_GOOD_OLD_INODE_SIZE;
 		} else {
+			 printk("DEBUG: inode %lu: calling ext4_iget_extra_inode\n",
+               inode->i_ino);
 			ret = ext4_iget_extra_inode(inode, raw_inode, ei);
 			if (ret)
 				goto bad_inode;
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 7bf9ba19a89d..abc27521a3a8 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -316,6 +316,9 @@ int
 __xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
 			 void *end, const char *function, unsigned int line)
 {
+	printk("DEBUG: inode %lu: __xattr_check_inode called, IFIRST=%px end=%px gap=%ld\n",
+           inode->i_ino, IFIRST(header), end,
+           (long)(end - (void *)IFIRST(header)));
 	return check_xattrs(inode, NULL, IFIRST(header), end, IFIRST(header),
 			    function, line);
 }
@@ -645,6 +648,8 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
 
 	if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR))
 		return -ENODATA;
+	printk("DEBUG: inode %lu: ext4_xattr_ibody_get called, EXT4_STATE_XATTR is set\n",
+       inode->i_ino);
 	error = ext4_get_inode_loc(inode, &iloc);
 	if (error)
 		return error;
@@ -652,6 +657,9 @@ ext4_xattr_ibody_get(struct inode *inode, int name_index, const char *name,
 	header = IHDR(inode, raw_inode);
 	end = ITAIL(inode, raw_inode);
 	entry = IFIRST(header);
+	printk("DEBUG: inode %lu: ibody_get IFIRST=%px end=%px gap=%ld\n",
+		inode->i_ino, entry, end,
+		(long)(end - (void *)entry));
 	error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
 	if (error)
 		goto cleanup;
-- 
2.43.0

next prev parent reply	other threads:[~2026-03-27 13:28 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-23  0:12 [syzbot] [ext4?] KASAN: use-after-free Read in xattr_find_entry (2) syzbot
2026-02-24  8:36 ` Forwarded: [PATCH] ext4: add bounds check in xattr_find_entry() to prevent use-after-free syzbot
2026-02-24  8:52 ` syzbot
2026-03-26 14:50 ` Forwarded: [PATCH] ext4: fix bounds check in check_xattrs() to account for IS_LAST_ENTRY() read syzbot
2026-03-27 13:28 ` syzbot [this message]
2026-03-30  1:43 ` Forwarded: [PATCH] loop: block loop reconfiguration of offset/sizelimit on mounted device syzbot
2026-03-31  1:04 ` Forwarded: [PATCH] loop: block changing lo_offset/lo_sizelimit " syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:396dc3a5d16 dfblob:af3a6992bf2 dfblob:7bf9ba19a89
dfblob:abc27521a3a )
 OR (
bs:"ext4: add debug printk to trace xattr validation path" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69c685e1.050a0220.172bcd.0003.GAE@google.com \
    --to=syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.