From: syzbot <syzbot+9db318d6167044609878@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ext4: add validation checks for corrupted extent headers
Date: Tue, 30 Sep 2025 17:10:25 -0700 [thread overview]
Message-ID: <68dc7171.050a0220.25d7ab.076c.GAE@google.com> (raw)
In-Reply-To: <68335d8e.a70a0220.253bc2.008b.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ext4: add validation checks for corrupted extent headers
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
syzbot reported use-after-free bugs in extent tree operations, particularly
in ext4_ext_binsearch_idx() and ext4_ext_binsearch() called from
ext4_find_extent(), as well as crashes in ext4_ext_correct_indexes() and
ext4_ext_map_blocks().
The crashes occur when extent headers contain invalid data (wrong magic
number or freed memory). This can happen during concurrent operations on
the same inode where extent tree modifications lead to stale pointers.
Add validation checks at key points:
1. In ext4_find_extent(): validate extent headers before calling
ext4_ext_binsearch_idx() and ext4_ext_binsearch()
2. In ext4_ext_correct_indexes(): validate path and depth before
dereferencing path[depth]
3. In ext4_ext_map_blocks(): validate extent header after getting
the path from ext4_find_extent()
These defensive checks prevent crashes from invalid extent headers,
though the root cause of the corruption needs further investigation.
The checks ensure the code fails gracefully with -EFSCORRUPTED rather
than crashing on invalid memory access.
Reported-by: syzbot+9db318d6167044609878@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9db318d6167044609878
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ext4/extents.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index ca5499e9412b..fef9db80d65c 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -930,7 +930,11 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
while (i) {
ext_debug(inode, "depth %d: num %d, max %d\n",
ppos, le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max));
-
+ if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max)) {
+ EXT4_ERROR_INODE(inode, "invalid extent header before binsearch_idx");
+ ret = -EFSCORRUPTED;
+ goto err;
+ }
ext4_ext_binsearch_idx(inode, path + ppos, block);
path[ppos].p_block = ext4_idx_pblock(path[ppos].p_idx);
path[ppos].p_depth = i;
@@ -952,12 +956,17 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block,
path[ppos].p_ext = NULL;
path[ppos].p_idx = NULL;
+ if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max)) {
+ EXT4_ERROR_INODE(inode, "invalid extent header before binsearch");
+ ret = -EFSCORRUPTED;
+ goto err;
+ }
/* find extent */
ext4_ext_binsearch(inode, path + ppos, block);
/* if not an empty leaf */
if (path[ppos].p_ext)
path[ppos].p_block = ext4_ext_pblock(path[ppos].p_ext);
-
+
ext4_ext_show_path(inode, path);
return path;
@@ -1708,7 +1717,8 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode,
struct ext4_extent *ex;
__le32 border;
int k, err = 0;
-
+ if (!path || depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH)
+ return -EFSCORRUPTED;
eh = path[depth].p_hdr;
ex = path[depth].p_ext;
@@ -4200,6 +4210,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
unsigned int allocated_clusters = 0;
struct ext4_allocation_request ar;
ext4_lblk_t cluster_offset;
+ struct ext4_extent_header *eh;
ext_debug(inode, "blocks %u/%u requested\n", map->m_lblk, map->m_len);
trace_ext4_ext_map_blocks_enter(inode, map->m_lblk, map->m_len, flags);
@@ -4212,7 +4223,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
}
depth = ext_depth(inode);
-
+ eh = path[depth].p_hdr;
+ if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC || le16_to_cpu(eh->eh_entries) > le16_to_cpu(eh->eh_max)) {
+ EXT4_ERROR_INODE(inode, "invalid extent header at depth %d", depth);
+ err = -EFSCORRUPTED;
+ goto out;
+ }
/*
* consistent leaf must not be empty;
* this situation is possible, though, _during_ tree modification;
--
2.43.0
prev parent reply other threads:[~2025-10-01 0:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-25 18:12 [syzbot] [ext4?] KASAN: use-after-free Read in ext4_ext_insert_extent syzbot
2025-05-26 14:53 ` syzbot
2025-09-30 15:20 ` Forwarded: [PATCH] ext4: fix use-after-free in ext4_ext_insert_extent() syzbot
2025-10-01 23:11 ` kernel test robot
2025-09-30 20:57 ` Forwarded: [PATCH] ext4: fix use-after-free in extent header access syzbot
2025-09-30 22:05 ` syzbot
2025-09-30 22:49 ` Forwarded: [PATCH] ext4: add defensive checks for extent header corruption syzbot
2025-09-30 23:09 ` Forwarded: [PATCH] ext4: add validation checks for corrupted extent headers syzbot
2025-10-01 0:10 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68dc7171.050a0220.25d7ab.076c.GAE@google.com \
--to=syzbot+9db318d6167044609878@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox