From: "Darrick J. Wong" <djwong@kernel.org>
To: Ahmet Eray Karadag <eraykrdg1@gmail.com>
Cc: tytso@mit.edu, adilger.kernel@dilger.ca,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
david.hunter.linux@gmail.com, skhan@linuxfoundation.org,
syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com,
Albin Babu Varghese <albinbabuvarghese20@gmail.com>
Subject: Re: [PATCH] Fix: ext4: add sanity check for inode inline write range
Date: Tue, 7 Oct 2025 17:47:17 -0700 [thread overview]
Message-ID: <20251008004717.GL8084@frogsfrogsfrogs> (raw)
In-Reply-To: <20251007234221.28643-2-eraykrdg1@gmail.com>
On Wed, Oct 08, 2025 at 02:42:22AM +0300, Ahmet Eray Karadag wrote:
> Add a simple check in ext4_try_to_write_inline_data() to prevent
> writes that extend past the inode's inline data area. The function
> now returns -EINVAL if pos + len exceeds i_inline_size.
>
> This avoids invalid inline write attempts and keeps the write path
> consistent with the inode limits.
>
> Reported-by: syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8
> Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
> Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com>
> Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
> ---
> fs/ext4/inline.c | 14 ++++++++++++--
> 1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
> index 1b094a4f3866..13ba56e8e334 100644
> --- a/fs/ext4/inline.c
> +++ b/fs/ext4/inline.c
> @@ -782,6 +782,16 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
> struct ext4_iloc iloc;
> int ret = 0, ret2;
>
> + if ((pos + len) > EXT4_I(inode)->i_inline_size) {
> + ext4_warning_inode(inode,
> + "inline write beyond capacity (pos=%lld, len=%u, inline_size=%d)",
> + pos, len, EXT4_I(inode)->i_inline_size);
> + folio_unlock(folio);
> + folio_put(folio);
> + ret = -EINVAL;
> + goto out;
Shouldn't write_begin have converted the file to block format if the
range to be written exceeds the possible inlinedata size?
> + }
> +
> if (unlikely(copied < len) && !folio_test_uptodate(folio))
> copied = 0;
>
> @@ -838,8 +848,8 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
> */
> if (pos + len > inode->i_size && ext4_can_truncate(inode))
> ext4_orphan_add(handle, inode);
> -
> - ret2 = ext4_journal_stop(handle);
> + if (handle)
> + ret2 = ext4_journal_stop(handle);
What is this??
--D
> if (!ret)
> ret = ret2;
> if (pos + len > inode->i_size) {
> --
> 2.43.0
>
>
next prev parent reply other threads:[~2025-10-08 0:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-07 23:42 [PATCH] Fix: ext4: add sanity check for inode inline write range Ahmet Eray Karadag
2025-10-08 0:47 ` Darrick J. Wong [this message]
2025-10-08 12:34 ` Theodore Ts'o
2025-10-08 13:40 ` Ahmet Eray Karadag
2025-10-09 14:21 ` David Hunter
2025-10-10 11:31 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251008004717.GL8084@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=adilger.kernel@dilger.ca \
--cc=albinbabuvarghese20@gmail.com \
--cc=david.hunter.linux@gmail.com \
--cc=eraykrdg1@gmail.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).