Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2225615/?format=api
{ "id": 2225615, "url": "http://patchwork.ozlabs.org/api/patches/2225615/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-ext4/patch/20260421093138.906266-1-junjie.cao@intel.com/", "project": { "id": 8, "url": "http://patchwork.ozlabs.org/api/projects/8/?format=api", "name": "Linux ext4 filesystem development", "link_name": "linux-ext4", "list_id": "linux-ext4.vger.kernel.org", "list_email": "linux-ext4@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260421093138.906266-1-junjie.cao@intel.com>", "list_archive_url": null, "date": "2026-04-21T09:31:38", "name": "ext4: prevent out-of-bounds read in ext4_read_inline_data()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "958d17658581995b70e65980b14bb46f45339d08", "submitter": { "id": 91537, "url": "http://patchwork.ozlabs.org/api/people/91537/?format=api", "name": "Junjie Cao", "email": "junjie.cao@intel.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-ext4/patch/20260421093138.906266-1-junjie.cao@intel.com/mbox/", "series": [ { "id": 500767, "url": "http://patchwork.ozlabs.org/api/series/500767/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-ext4/list/?series=500767", "date": "2026-04-21T09:31:38", "name": "ext4: prevent out-of-bounds read in ext4_read_inline_data()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500767/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2225615/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2225615/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <SRS0=cFN5=CU=vger.kernel.org=linux-ext4+bounces-15947-patchwork-incoming=ozlabs.org@ozlabs.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-ext4@vger.kernel.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "patchwork-incoming@ozlabs.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=Cg19Uvk7;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=150.107.74.76; helo=mail.ozlabs.org;\n envelope-from=srs0=cfn5=cu=vger.kernel.org=linux-ext4+bounces-15947-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)", "gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=172.234.253.10 arc.chain=subspace.kernel.org", "gandalf.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=intel.com", "gandalf.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=Cg19Uvk7;\n\tdkim-atps=neutral", "gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15947-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com\n header.b=\"Cg19Uvk7\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=198.175.65.13", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=intel.com", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=intel.com" ], "Received": [ "from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0HHK2jK5z1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 19:34:05 +1000 (AEST)", "from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4g0HHK29TPz4w1j\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 19:34:05 +1000 (AEST)", "by gandalf.ozlabs.org (Postfix)\n\tid 4g0HHK1stLz4w1Y; Tue, 21 Apr 2026 19:34:05 +1000 (AEST)", "from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4g0HHF0svPz4w1j\n\tfor <patchwork-incoming@ozlabs.org>; Tue, 21 Apr 2026 19:34:01 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 3A869300C928\n\tfor <patchwork-incoming@ozlabs.org>; Tue, 21 Apr 2026 09:32:15 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 5CE233A8FEA;\n\tTue, 21 Apr 2026 09:32:11 +0000 (UTC)", "from mgamail.intel.com (mgamail.intel.com [198.175.65.13])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id CF3DD3A7F75;\n\tTue, 21 Apr 2026 09:32:08 +0000 (UTC)", "from orviesa005.jf.intel.com ([10.64.159.145])\n by orvoesa105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 21 Apr 2026 02:32:07 -0700", "from junjie-desk-dev.bj.intel.com ([10.238.152.71])\n by orviesa005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 21 Apr 2026 02:32:03 -0700" ], "ARC-Seal": [ "i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1776764045; cv=pass;\n\tb=NfPpnpq1PkIJ6j2y5TOBDjfXJt8gJXJNg3wARnWPzVjy0tnfZ10G1FaWKimWtYJMGLnHXRmD5YNNMeWlFwvrhjvreBNyQ+CxjBgeStBtm+rEPf7ibcdaZBMMeQ8+nbPVgIEtaq/XZQxAL5MJd7gJBM8W1J19Q4MXdLK3WYjgkd8n28E/p/hcwzhi2+iBbXBGgnLNI1CU0kz06zuf0zkuAAPAh9iZd1MWRc7+rgFwuNhRP/S3SMWVVT1IzwOM83VWz9CCcF7VnYhdo4M023Wh9EP6JDQ5zl9D4EnMLdyG4fGMOEcTz3wLHvbD538dDqc0TbRlhpxub9gUfVoKpOTW6w==", "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776763930; cv=none;\n b=gBkCQdiBjANRSGAzXfubb02p/xozJfTwb9uKakiPrLmGCLTpE6tCMlJ/FUQZBfheVSQcnBxAMzBqtC26cY80skaNkkmOOkLeM/8iFyl3tJchdqCsEs/S2PsrpoZ7pinXh4pthCTlls4tGQ6J/VUcW1K1mc7iphZ152kioxmDWos=" ], "ARC-Message-Signature": [ "i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1776764045; c=relaxed/relaxed;\n\tbh=mTi6Ix9TBDV8E0stV2wc6n/wz8K8h/pyn+b81nWyZgw=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=BolMeXI3D8Imj4y1qjpEuVDt1HP08w4KJs89D8wK/B+eKMXdBswOB5F9RpE8skwg7G80sysVVxWDi1BYUdG47tP40yFcuO3hvO164lGoAxC6dBk0OXpvcQbsvangHMjrxiOs034z8dWRNWHJa8X1GYqLwvajE7vOqgps3iWZqcMzd2BL12GPZCErL5GF6V7v3AuAuiGg6steOnOfWed3jSVbeZuDZ5Ho9k3srfYXIql7LqUbqJc4x+t3cgBkzterrFSk2bp5OLTUkN2CXAlCr/n+1zp8HO2vr/ynuaHcLPbPYozUxgD7eARvxqcpoyB/cNbJ9ajEMqURuWbaY/hx7Q==", "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776763930; c=relaxed/simple;\n\tbh=Sq0s3Ai9Uj6WEHE5GsmPeZpiF/Xu9DQRsx09i8yUIR0=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=tJsOcAIe8Qt7adQpQCgWo0uKXBH+qWQP5lSP7k+lYIIAtObgcaCEZeubv0pz3AgGBmdmjipcsEwWedT6bNOvSur5QsXfcF5wjFti1YLZYzIIWIxKVjao9iqaHscEQSlFHY63wDE8zkAfhLm0NY+XfLE608716rnKOdqpFJubado=" ], "ARC-Authentication-Results": [ "i=2; gandalf.ozlabs.org;\n dmarc=pass (p=none dis=none) header.from=intel.com; dkim=pass (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=Cg19Uvk7; dkim-atps=neutral;\n spf=pass (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15947-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org", "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=intel.com;\n spf=pass smtp.mailfrom=intel.com;\n dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com\n header.b=Cg19Uvk7; arc=none smtp.client-ip=198.175.65.13" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1776763929; x=1808299929;\n h=from:to:cc:subject:date:message-id:mime-version:\n content-transfer-encoding;\n bh=Sq0s3Ai9Uj6WEHE5GsmPeZpiF/Xu9DQRsx09i8yUIR0=;\n b=Cg19Uvk7j+YOkBTWAdlhRj6PwfWgYO/U/9lC33gC/9sFIjPFX4QOTR6K\n Fiw/hq+wxn09HIal7WCx+14W8aBz4f5/OQ2I3/+BFJr9Ng33yGZt4i0P+\n 0queH4+ivMaJFSGxRD++i/Y8kNPw/dGd6wL21qCgo4dpLw8fu8maWbUXu\n feoOLXi0kGPF2/9kJy8Tywh87ZY+Vy3SBFkO6rV4CG7pS2K/PBta6o/SW\n TknKBAGHncp+8yZ1b375rPYdNEHEJPuxUMfgjBcnAonyGYHblBky0u+f7\n d2ItoUgsLN54VR92T/nUA+rcWRzLhAX68VxDtOH8ysEE0kZ3g89RMnDGo\n w==;", "X-CSE-ConnectionGUID": [ "PsWEmFW+TU2iIogeGMj+SA==", "mplqvNn6T1eSQ+PEm4AuZA==" ], "X-CSE-MsgGUID": [ "uGi7M2K2R9GXoqPF46Xi2w==", "mgZbQ6OJTRqQZoZo5msFpg==" ], "X-IronPort-AV": [ "E=McAfee;i=\"6800,10657,11762\"; a=\"88769816\"", "E=Sophos;i=\"6.23,191,1770624000\";\n d=\"scan'208\";a=\"88769816\"", "E=Sophos;i=\"6.23,191,1770624000\";\n d=\"scan'208\";a=\"236971344\"" ], "X-ExtLoop1": "1", "From": "Junjie Cao <junjie.cao@intel.com>", "To": "tytso@mit.edu", "Cc": "adilger.kernel@dilger.ca,\n\tjack@suse.cz,\n\tlibaokun@linux.alibaba.com,\n\tojaswin@linux.ibm.com,\n\tritesh.list@gmail.com,\n\tyi.zhang@huawei.com,\n\tlinux-ext4@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org,\n\tsyzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com,\n\tjunjie.cao@intel.com", "Subject": "[PATCH] ext4: prevent out-of-bounds read in ext4_read_inline_data()", "Date": "Tue, 21 Apr 2026 17:31:38 +0800", "Message-ID": "<20260421093138.906266-1-junjie.cao@intel.com>", "X-Mailer": "git-send-email 2.43.0", "Precedence": "bulk", "X-Mailing-List": "linux-ext4@vger.kernel.org", "List-Id": "<linux-ext4.vger.kernel.org>", "List-Subscribe": "<mailto:linux-ext4+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-ext4+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Spam-Status": "No, score=-1.2 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,\n\tHEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,\n\tSPF_PASS autolearn=disabled version=4.0.1", "X-Spam-Checker-Version": "SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org" }, "content": "ext4_read_inline_data() reads e_value_offs from the inode buffer_head on\neach call, but the decision to enter the xattr value path depends on\ni_inline_size cached in EXT4_I(inode) at iget time. If the buffer\ncontents change after the initial validation, e_value_offs can point\nbeyond the inode body while i_inline_size still directs the code into\nthe xattr value path, causing an out-of-bounds read in the memcpy.\n\nAdd a bounds check before the memcpy, consistent with\next4_xattr_ibody_get(). Also guard folio_mark_uptodate() in\next4_read_inline_folio() since ext4_read_inline_data() can now return\n-EFSCORRUPTED.\n\nFixes: 67cf5b09a46f (\"ext4: add the basic function for inline data support\")\nCc: stable@vger.kernel.org\nReported-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com\nTested-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com\nCloses: https://syzkaller.appspot.com/bug?extid=26c4a8cab92d0cda3e3b\nSigned-off-by: Junjie Cao <junjie.cao@intel.com>\n---\n fs/ext4/inline.c | 11 ++++++++++-\n 1 file changed, 10 insertions(+), 1 deletion(-)", "diff": "diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c\nindex 408677fa8196..18c678df0a6e 100644\n--- a/fs/ext4/inline.c\n+++ b/fs/ext4/inline.c\n@@ -211,6 +211,14 @@ static int ext4_read_inline_data(struct inode *inode, void *buffer,\n \tlen = min_t(unsigned int, len,\n \t\t (unsigned int)le32_to_cpu(entry->e_value_size));\n \n+\tif (unlikely((void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs) +\n+\t\t len > (void *)ITAIL(inode, raw_inode))) {\n+\t\tEXT4_ERROR_INODE(inode,\n+\t\t\t\"inline data value out of bounds (offs %u len %u)\",\n+\t\t\tle16_to_cpu(entry->e_value_offs), len);\n+\t\treturn -EFSCORRUPTED;\n+\t}\n+\n \tmemcpy(buffer,\n \t (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);\n \tcp_len += len;\n@@ -535,7 +543,8 @@ static int ext4_read_inline_folio(struct inode *inode, struct folio *folio)\n \tret = ext4_read_inline_data(inode, kaddr, len, &iloc);\n \tkaddr = folio_zero_tail(folio, len, kaddr + len);\n \tkunmap_local(kaddr);\n-\tfolio_mark_uptodate(folio);\n+\tif (ret >= 0)\n+\t\tfolio_mark_uptodate(folio);\n \tbrelse(iloc.bh);\n \n out:\n", "prefixes": [] }