[PATCH] ext4: avoid BUG_ON() in ext4_get_inline_entry()

[PATCH] ext4: avoid BUG_ON() in ext4_get_inline_entry()

[Vineet Agarwal]

Corrupted inline directory metadata can cause offset to exceed
the inline data size through rec_len processing in
empty_inline_dir().

This triggers BUG_ON() in ext4_get_inline_entry(), causing a
kernel panic before ext4_check_dir_entry() can handle the
corruption gracefully.

Replace BUG_ON() with a NULL return and handle the invalid
offset in the caller by emitting a warning and exiting safely.

This prevents a kernel panic from corrupted inline directory
metadata.

Signed-off-by: Vineet Agarwal <agarwal.vineet2006@gmail.com>
---
 fs/ext4/inline.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 8045e4ff270c..bca9936ed6d0 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1718,7 +1718,8 @@ ext4_get_inline_entry(struct inode *inode,
 {
 	void *inline_pos;
 
-	BUG_ON(offset > ext4_get_inline_size(inode));
+	if (offset > ext4_get_inline_size(inode))
+		return NULL;
 
 	if (offset < EXT4_MIN_INLINE_DATA_SIZE) {
 		inline_pos = (void *)ext4_raw_inode(iloc)->i_block;
@@ -1773,6 +1774,12 @@ bool empty_inline_dir(struct inode *dir, int *has_inline_data)
 	while (offset < inline_len) {
 		de = ext4_get_inline_entry(dir, &iloc, offset,
 					   &inline_pos, &inline_size);
+		if (!de) {
+			ext4_warning(dir->i_sb,
+				     "bad inline directory (dir #%llu) - invalid offset",
+				     dir->i_ino);
+			goto out;
+		}
 		if (ext4_check_dir_entry(dir, NULL, de,
 					 iloc.bh, inline_pos,
 					 inline_size, offset)) {
-- 
2.54.0

Re: [PATCH] ext4: avoid BUG_ON() in ext4_get_inline_entry()

[Jan Kara]

On Mon 27-04-26 21:50:20, Vineet Agarwal wrote:
> Corrupted inline directory metadata can cause offset to exceed
> the inline data size through rec_len processing in
> empty_inline_dir().
> 
> This triggers BUG_ON() in ext4_get_inline_entry(), causing a
> kernel panic before ext4_check_dir_entry() can handle the
> corruption gracefully.
> 
> Replace BUG_ON() with a NULL return and handle the invalid
> offset in the caller by emitting a warning and exiting safely.
> 
> This prevents a kernel panic from corrupted inline directory
> metadata.
> 
> Signed-off-by: Vineet Agarwal <agarwal.vineet2006@gmail.com>

I guess this is motivated by some syskaller fuzzing (would be good to
reference). It however doesn't explain how the BUG_ON can trigger when
empty_inline_dir() just did:

	inline_len = ext4_get_inline_size(dir);
	...
	while (offset < inline_len) {
		de = ext4_get_inline_entry(dir, &iloc, offset, ...)

I suspect modification of the fs image while being mounted which is not
something we care about.

								Honza

> ---
>  fs/ext4/inline.c | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
> index 8045e4ff270c..bca9936ed6d0 100644
> --- a/fs/ext4/inline.c
> +++ b/fs/ext4/inline.c
> @@ -1718,7 +1718,8 @@ ext4_get_inline_entry(struct inode *inode,
>  {
>  	void *inline_pos;
>  
> -	BUG_ON(offset > ext4_get_inline_size(inode));
> +	if (offset > ext4_get_inline_size(inode))
> +		return NULL;
>  
>  	if (offset < EXT4_MIN_INLINE_DATA_SIZE) {
>  		inline_pos = (void *)ext4_raw_inode(iloc)->i_block;
> @@ -1773,6 +1774,12 @@ bool empty_inline_dir(struct inode *dir, int *has_inline_data)
>  	while (offset < inline_len) {
>  		de = ext4_get_inline_entry(dir, &iloc, offset,
>  					   &inline_pos, &inline_size);
> +		if (!de) {
> +			ext4_warning(dir->i_sb,
> +				     "bad inline directory (dir #%llu) - invalid offset",
> +				     dir->i_ino);
> +			goto out;
> +		}
>  		if (ext4_check_dir_entry(dir, NULL, de,
>  					 iloc.bh, inline_pos,
>  					 inline_size, offset)) {
> -- 
> 2.54.0
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR