[{"id":3679792,"web_url":"http://patchwork.ozlabs.org/comment/3679792/","msgid":"","list_archive_url":null,"date":"2026-04-21T10:04:50","subject":"Re: [PATCH] ext4: prevent out-of-bounds read in\n ext4_read_inline_data()","submitter":{"id":363,"url":"http://patchwork.ozlabs.org/api/people/363/","name":"Jan Kara","email":"jack@suse.cz"},"content":"On Tue 21-04-26 17:31:38, Junjie Cao wrote:\n> ext4_read_inline_data() reads e_value_offs from the inode buffer_head on\n> each call, but the decision to enter the xattr value path depends on\n> i_inline_size cached in EXT4_I(inode) at iget time. If the buffer\n> contents change after the initial validation, e_value_offs can point\n> beyond the inode body while i_inline_size still directs the code into\n> the xattr value path, causing an out-of-bounds read in the memcpy.\n> \n> Add a bounds check before the memcpy, consistent with\n> ext4_xattr_ibody_get(). Also guard folio_mark_uptodate() in\n> ext4_read_inline_folio() since ext4_read_inline_data() can now return\n> -EFSCORRUPTED.\n> \n> Fixes: 67cf5b09a46f (\"ext4: add the basic function for inline data support\")\n> Cc: stable@vger.kernel.org\n> Reported-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com\n> Tested-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com\n> Closes: https://syzkaller.appspot.com/bug?extid=26c4a8cab92d0cda3e3b\n> Signed-off-by: Junjie Cao \n\nIf the buffer contents changes after the initial validation, there is some\nproblem somewhere and this isn't going to fix it (likely the fs is\ncorrupted and that isn't properly detected). Please fix the real problem,\nnot just paper over it.\n\n\t\t\t\t\t\t\t\tHonza\n\n> ---\n> fs/ext4/inline.c | 11 ++++++++++-\n> 1 file changed, 10 insertions(+), 1 deletion(-)\n> \n> diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c\n> index 408677fa8196..18c678df0a6e 100644\n> --- a/fs/ext4/inline.c\n> +++ b/fs/ext4/inline.c\n> @@ -211,6 +211,14 @@ static int ext4_read_inline_data(struct inode *inode, void *buffer,\n> \tlen = min_t(unsigned int, len,\n> \t\t (unsigned int)le32_to_cpu(entry->e_value_size));\n> \n> +\tif (unlikely((void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs) +\n> +\t\t len > (void *)ITAIL(inode, raw_inode))) {\n> +\t\tEXT4_ERROR_INODE(inode,\n> +\t\t\t\"inline data value out of bounds (offs %u len %u)\",\n> +\t\t\tle16_to_cpu(entry->e_value_offs), len);\n> +\t\treturn -EFSCORRUPTED;\n> +\t}\n> +\n> \tmemcpy(buffer,\n> \t (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);\n> \tcp_len += len;\n> @@ -535,7 +543,8 @@ static int ext4_read_inline_folio(struct inode *inode, struct folio *folio)\n> \tret = ext4_read_inline_data(inode, kaddr, len, &iloc);\n> \tkaddr = folio_zero_tail(folio, len, kaddr + len);\n> \tkunmap_local(kaddr);\n> -\tfolio_mark_uptodate(folio);\n> +\tif (ret >= 0)\n> +\t\tfolio_mark_uptodate(folio);\n> \tbrelse(iloc.bh);\n> \n> out:\n> -- \n> 2.43.0\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-ext4@vger.kernel.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","patchwork-incoming@ozlabs.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.cz header.i=@suse.cz header.a=rsa-sha256\n header.s=susede2_rsa header.b=R0Ie1Hmj;\n\tdkim=pass header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=JexmV41L;\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.a=rsa-sha256 header.s=susede2_rsa header.b=0ILnJQty;\n\tdkim=neutral header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=fKxBvfv6;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=2404:9400:2221:ea00::3; helo=mail.ozlabs.org;\n envelope-from=srs0=yvhr=cu=vger.kernel.org=linux-ext4+bounces-15948-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)","gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=\"2600:3c0a:e001:db::12fc:5321\"\n arc.chain=subspace.kernel.org","gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=suse.cz","gandalf.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.cz header.i=@suse.cz header.a=rsa-sha256\n header.s=susede2_rsa header.b=R0Ie1Hmj;\n\tdkim=pass header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=JexmV41L;\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.a=rsa-sha256 header.s=susede2_rsa header.b=0ILnJQty;\n\tdkim=neutral header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=fKxBvfv6;\n\tdkim-atps=neutral","gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15948-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"R0Ie1Hmj\";\n\tdkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"JexmV41L\";\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"0ILnJQty\";\n\tdkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"fKxBvfv6\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=suse.cz","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.cz","smtp-out2.suse.de;\n\tnone"],"Received":["from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0J9B3CRrz1yGs\n\tfor ; Tue, 21 Apr 2026 20:13:49 +1000 (AEST)","from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4g0J994LKVz4w1j\n\tfor ; Tue, 21 Apr 2026 20:13:49 +1000 (AEST)","by gandalf.ozlabs.org (Postfix)\n\tid 4g0J993tFzz4w26; Tue, 21 Apr 2026 20:13:49 +1000 (AEST)","from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4g0J954DH0z4w1j\n\tfor ; Tue, 21 Apr 2026 20:13:45 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 0BDBB303D734\n\tfor ; Tue, 21 Apr 2026 10:05:03 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 75A0F39FCAC;\n\tTue, 21 Apr 2026 10:05:02 +0000 (UTC)","from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id BC5F3386450\n\tfor ; Tue, 21 Apr 2026 10:05:00 +0000 (UTC)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id EAB2E5BCC1;\n\tTue, 21 Apr 2026 10:04:58 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id E0864593AF;\n\tTue, 21 Apr 2026 10:04:58 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid uXbDNspL52kgRAAAD6G6ig\n\t(envelope-from ); Tue, 21 Apr 2026 10:04:58 +0000","by quack3.suse.cz (Postfix, from userid 1000)\n\tid A1E37A0AE1; Tue, 21 Apr 2026 12:04:50 +0200 (CEST)"],"ARC-Seal":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1776766429; cv=pass;\n\tb=KoTeh6R2U8Y1km1JQZZRVOQGGTy8gBsTMrubLgHiuucYReO/adHapsFSF7Y0Yt1IciMe4vG8+q/Z2uAnstHbFY1GvxpAe8pRhaVI0yjWaxiZHF82NAQ4IzEtR78UxwyuzY/uEvtQQYd2DcjeTSIMvZ1jnSAbCLFhnws0Pmv0NwU/OaS0WdiAl8ps2O6pNltzRIxxmPQWrItUDMZlbuqd+HDzGH2F8tV/CziQsnO4A4OuFxKqoicdueI5IO/DOjGSGr7RAJ0f84K9JHbi/jQ7hWUtv0F7McwNY7PSeS1BLj+IAzOoGxWIhI433htit27tPJREnV/o0xl2xJ5CtGlDaQ==","i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776765902; cv=none;\n b=UKFQUHViYKWnorg6fzNeWnDzfMQwv0IW8clungdoVZWIpVJ3YKj9ALoFXshl1CjfTMo/smR+goMnFhKzu0woRjmDOPTCG19ehljalMEXkcPoTFyIDtIL2vQGd29QpsfljEwWYhc/b9Wu9KJB8MUSl4MUOwkN1ZsNFGnKTTJJfTc="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1776766429; c=relaxed/relaxed;\n\tbh=vs7u0fpOfhPpewcQZ54sx4EuzH250jnHBMd8ooAY/p0=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=FnNzInZ2oBwTaLQ65F0FS+bKcj3/k+IWEsPAW5l+lIq/CSo+c+kvZOM5Fqazo0Hcp2v1rq6rt+MP2OXmGd6ZA0VfS3/WMY+N8P94jmfwpjknJfKKqbcGwjefuvu4OftKtzFJHairW9R6BqD8p0ecSXBDjcRZWo2cPh60T2zXPvj/DFzGeMMe6LTuxIoVoACHZXpyf2dhwqbac0I0IKhYBH+15UUDdEH30gTezA8hchcKB0M5t4MOmxii8ZfhlrfjdObCgiHlv0R/rL2RtRPbNPmXueV83aNeerGzE5f5s639zbVkR+4dMOGIUyno2s+YH1IrjpIko19mEgS5Esys1w==","i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776765902; c=relaxed/simple;\n\tbh=V3CqbP81QnQZqF17/gxCDj0g9AX7dC6Nl3PXf6aiHzs=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=gyqIv0TuQGkYMj09oAFsB7O0F/LaAIWY9wyTtXsrEHV8ekKASZa1ESKBgMK0qvgRq44H/IS9+RRN9sZUaz68HEH0KyUdIZ/Di/pYvB21zlkZ31TfRrvm10JSHChqrmbasJGitavypK7ds6ICyw5tKRqeA55FpFGU8bdIxVA8aOE="],"ARC-Authentication-Results":["i=2; gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=suse.cz; dkim=pass (1024-bit key;\n unprotected) header.d=suse.cz header.i=@suse.cz header.a=rsa-sha256\n header.s=susede2_rsa header.b=R0Ie1Hmj;\n dkim=pass header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=JexmV41L;\n dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.a=rsa-sha256 header.s=susede2_rsa header.b=0ILnJQty;\n dkim=neutral header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=fKxBvfv6; dkim-atps=neutral;\n spf=pass (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-15948-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org","i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=suse.cz;\n spf=pass smtp.mailfrom=suse.cz;\n dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=R0Ie1Hmj;\n dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=JexmV41L;\n dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=0ILnJQty;\n dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=fKxBvfv6; arc=none smtp.client-ip=195.135.223.131"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz;\n s=susede2_rsa;\n\tt=1776765899;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=vs7u0fpOfhPpewcQZ54sx4EuzH250jnHBMd8ooAY/p0=;\n\tb=R0Ie1Hmj3R4ewMXJ9ZbszEkoET7rmBYiQx2sWhiWetpG5nto/pGihVys/OO/EWG4UKEdM2\n\thI4bvrXt/8sAlTuhFA84fccZ8JJ7UwfQpeLJvwUu2D9M+7qok2YS2oT9G6UnPk687w98sf\n\t+lDOgS99ELDRG8TJtlzJ9TukCX53q1o=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;\n\ts=susede2_ed25519; t=1776765899;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=vs7u0fpOfhPpewcQZ54sx4EuzH250jnHBMd8ooAY/p0=;\n\tb=JexmV41LbqPBwuTgiMy9kLCXNstf4EcmGdZnlaNfOwcKl6T6LC5K/xl1nb93BQu8X0Majx\n\toLh6RRK1UuU+V0AQ==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz;\n s=susede2_rsa;\n\tt=1776765898;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=vs7u0fpOfhPpewcQZ54sx4EuzH250jnHBMd8ooAY/p0=;\n\tb=0ILnJQtyNYSCQatzjFnQ579MfBiai+mPljSweMp5Bila5GR2PP2+sZjiY+P2plhgtQa2+Y\n\tGN9ft20b1ez7oz7sVmD651TNrnDEFiWLumqcpYfd/U07r8b6EJklGQojoJCZj4gHXSPdPe\n\tHHphBNbel49BvVSTEAGlhAVZUOJ4AjA=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;\n\ts=susede2_ed25519; t=1776765898;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=vs7u0fpOfhPpewcQZ54sx4EuzH250jnHBMd8ooAY/p0=;\n\tb=fKxBvfv6t+DWeK0Qyah5eEzwk20PT777KML7fhaQWbo9Gar1cYcv+ZUxo6dx4DtKzIIwS9\n\tG/kJifpIwxeZ0JBw=="],"Date":"Tue, 21 Apr 2026 12:04:50 +0200","From":"Jan Kara ","To":"Junjie Cao ","Cc":"tytso@mit.edu, adilger.kernel@dilger.ca, jack@suse.cz,\n\tlibaokun@linux.alibaba.com, ojaswin@linux.ibm.com, ritesh.list@gmail.com,\n\tyi.zhang@huawei.com, linux-ext4@vger.kernel.org,\n linux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org, syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com","Subject":"Re: [PATCH] ext4: prevent out-of-bounds read in\n ext4_read_inline_data()","Message-ID":"","References":"<20260421093138.906266-1-junjie.cao@intel.com>","Precedence":"bulk","X-Mailing-List":"linux-ext4@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260421093138.906266-1-junjie.cao@intel.com>","X-Spamd-Result":"default: False [-2.30 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tSUSPICIOUS_RECIPS(1.50)[];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_RHS_NOT_FQDN(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tDKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519];\n\tRCVD_COUNT_THREE(0.00)[3];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tMIME_TRACE(0.00)[0:+];\n\tARC_NA(0.00)[];\n\tRCPT_COUNT_TWELVE(0.00)[12];\n\tRCVD_TLS_LAST(0.00)[];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tTO_DN_SOME(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tTAGGED_RCPT(0.00)[26c4a8cab92d0cda3e3b];\n\tMISSING_XM_UA(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tFREEMAIL_CC(0.00)[mit.edu,dilger.ca,suse.cz,linux.alibaba.com,linux.ibm.com,gmail.com,huawei.com,vger.kernel.org,syzkaller.appspotmail.com];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[appspotmail.com:email,imap1.dmz-prg2.suse.org:helo,iloc.bh:url,syzkaller.appspot.com:url,suse.com:email]","X-Spam-Score":"-2.30","X-Spam-Level":"","X-Spam-Status":"No, score=-1.2 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_MISSING,\n\tHEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,\n\tSPF_PASS autolearn=disabled version=4.0.1","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org"}},{"id":3681357,"web_url":"http://patchwork.ozlabs.org/comment/3681357/","msgid":"","list_archive_url":null,"date":"2026-04-23T09:46:32","subject":"Re: [PATCH] ext4: prevent out-of-bounds read in\n ext4_read_inline_data()","submitter":{"id":363,"url":"http://patchwork.ozlabs.org/api/people/363/","name":"Jan Kara","email":"jack@suse.cz"},"content":"On Fri 24-04-26 01:05:26, Junjie Cao wrote:\n> Thanks for the review, Jan.\n> \n> You're right that v1 failed to identify why the buffer changes. I dug\n> into the syzbot reproducer ??? the corruption path is:\n> \n> 1. Mount a crafted ext4 image on a loop device\n> 2. Bind-mount the loop device, open + mmap it MAP_SHARED|PROT_WRITE\n> 3. Write through the mapping ??? this overwrites the inline xattr\n> entry directly in the bdev page cache\n\nAh, interesting. I had a look at the syzbot bug and all the reproductions\nare actually only on quite old Android kernel (5.15). That kernel doesn't\nhave infrastructure to block writes to mounted devices - in newer kernels\nsyzbot sets\n\nCONFIG_BLK_DEV_WRITE_MOUNTED=n\n\nwhich blocks reproducers like this one.\n\n> The inode buffer_head stays uptodate throughout, so no re-validation\n> ever triggers ??? xattr_check_inode() at iget time is thorough but only\n> runs once, leaving subsequent in-place corruption of the page cache\n> undetected.\n\nYes, writing to buffer cache through the mapping is equivalent to poking\nto your memory. You can do a lot of damage if you are not careful.\nFilesystems have no sensible way to protect against such things and in\ngeneral it is root-restricted corruption vector so not really interesting\nfrom security perspective.\n\n> However, ext4_xattr_ibody_get() already guards against this with a\n> bounds check before its memcpy (xattr.c:674). ext4_read_inline_data()\n> lacks the same check because it indexes via the cached i_inline_off,\n> bypassing xattr_find_entry() entirely. I think aligning the two paths\n> is worthwhile, and it would also clear this syzbot report.\n> \n> Would a v2 with this framing be acceptable to you?\n\nNo, I don't think there a problem to fix. The additional checks will\ncomplicate the code, will be racy anyway, and will cost some performance.\nThere is no good reason to have them to protect from sysadmin doing stupid\nstuff...\n\n\t\t\t\t\t\t\t\tHonza","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","linux-ext4@vger.kernel.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","patchwork-incoming@ozlabs.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.cz header.i=@suse.cz header.a=rsa-sha256\n header.s=susede2_rsa header.b=bH7uu592;\n\tdkim=pass header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=7Q+nno7y;\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.a=rsa-sha256 header.s=susede2_rsa header.b=bH7uu592;\n\tdkim=neutral header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=7Q+nno7y;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=2404:9400:2221:ea00::3; helo=mail.ozlabs.org;\n envelope-from=srs0=kbxq=cw=vger.kernel.org=linux-ext4+bounces-16046-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)","gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=172.234.253.10 arc.chain=subspace.kernel.org","gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=suse.cz","gandalf.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.cz header.i=@suse.cz header.a=rsa-sha256\n header.s=susede2_rsa header.b=bH7uu592;\n\tdkim=pass header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=7Q+nno7y;\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.a=rsa-sha256 header.s=susede2_rsa header.b=bH7uu592;\n\tdkim=neutral header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=7Q+nno7y;\n\tdkim-atps=neutral","gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-16046-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"bH7uu592\";\n\tdkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"7Q+nno7y\";\n\tdkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"bH7uu592\";\n\tdkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=\"7Q+nno7y\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=suse.cz","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.cz","smtp-out1.suse.de;\n\tnone"],"Received":["from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1WbL4dx5z1y2d\n\tfor ; Thu, 23 Apr 2026 19:52:13 +1000 (AEST)","from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4g1WbD2dLHz4w1d\n\tfor ; Thu, 23 Apr 2026 19:52:08 +1000 (AEST)","by gandalf.ozlabs.org (Postfix)\n\tid 4g1WbD29Zfz4wLx; Thu, 23 Apr 2026 19:52:08 +1000 (AEST)","from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4g1Wb869Pqz4w1d\n\tfor ; Thu, 23 Apr 2026 19:52:04 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id EAB6E30C8E13\n\tfor ; Thu, 23 Apr 2026 09:46:46 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 2F6A03E5EE0;\n\tThu, 23 Apr 2026 09:46:46 +0000 (UTC)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 321E23E5EE2\n\tfor ; Thu, 23 Apr 2026 09:46:43 +0000 (UTC)","from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 23CE56A7CA;\n\tThu, 23 Apr 2026 09:46:41 +0000 (UTC)","from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 18AC7593A3;\n\tThu, 23 Apr 2026 09:46:41 +0000 (UTC)","from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid HkP/BYHq6WnYRAAAD6G6ig\n\t(envelope-from ); Thu, 23 Apr 2026 09:46:41 +0000","by quack3.suse.cz (Postfix, from userid 1000)\n\tid D7928A0A2D; Thu, 23 Apr 2026 11:46:32 +0200 (CEST)"],"ARC-Seal":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1776937928; cv=pass;\n\tb=ek6sjNQkY00d31OJfiXuBycFZMtP6Fdh2Scfeq+IVMHN+2J8EiEuZVZ6UhjfSX3ZTrtvsqEf82jZL/V+4luaO3YxNyufUk49v5TDMXdx7k0JLlFlsRcK1Q3Tuv9IiVHCQqst5dagU4mV+k5PjDMYafpcNOm4L8Sf1ksPIlII+SKXATcyo3rdRAeJsrz3TggXdt5HTNno6T0W+137WlN+Xu10vGKe829IZKoT1hBrOdSLvpokqEcsOvdmjLU4XPKBFQkkEirWlQPxWdBpGMBJcaSguZtERxaEE1PZwIpGXEgY8SXnK+zI8P0NBcixSvjyr4vYjQUdtvwVVUYR9UvvjQ==","i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776937605; cv=none;\n b=cGsWEumZ26QJIrM5XpZaJxNwW1gL4oO3ByJqcPI+HUMUI4ojPSAttm/Qvz7Timrtn/VqYwreEM9BvlKvPKBsGPjYOVTZ2KiVYDidiFmFMMbXKdNPtK4X5xqUSb6uFWSeCLR8m7AOudXsGapkEIHEqT7a0AsuMZnmSZjEmRuMOko="],"ARC-Message-Signature":["i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1776937928; c=relaxed/relaxed;\n\tbh=XqRR9BlSad+srezuM804RmmPIyv0E8jMDsRxCNOd7K8=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=BPCLIi9e0ZnScvgNs53s9FsCbncgJzBSUlth5XS4DoWtmn/JNiEuyu/p9AZCUIdmr9sL5uCFvvfcB7C2Bd8LTYGD23ACloG9ytSN/58FARpbWRXf6nvsuTCd9IFMfoDyE9IZMa8h2KdieBf6JtUqBHKnrkmKvl9pQ4ElBfpKga2GhekNIUN/MlFWj61Y/7L1DHWUH9u0cyJWVGukgikvy/iRzrZoA2w0nIchiTZ3F95oXvYrRmBOpYE+YTK9xRWDpAnSjdcG0NxAd8UYPviKFntnstc+LOwuiSnckOdxWmm9IKcOOIywd90HUFoaljVYQG7CX3azqcEInK3XdKtYMw==","i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776937605; c=relaxed/simple;\n\tbh=PcQm1B6kfZNG++VDr5K4Vg/79dkZ1DflivRmr0/efxg=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=gnPb/wTRhJhPBafu7J6qYkupdYySrG93UDw4O0y487YUFXuP5cMux2a71LKCrAfUgrb+vO7H+rVaDS+i7MOm5FVH1BNFuJYpt9o2ZE8r6m4BT6b6CTYCAbMP3GyJReQ48JNHdTcmSnDmc9PQwqI08/bNZLHkjJmkXljLOAWdvbk="],"ARC-Authentication-Results":["i=2; gandalf.ozlabs.org;\n dmarc=none (p=none dis=none) header.from=suse.cz; dkim=pass (1024-bit key;\n unprotected) header.d=suse.cz header.i=@suse.cz header.a=rsa-sha256\n header.s=susede2_rsa header.b=bH7uu592;\n dkim=pass header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=7Q+nno7y;\n dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.a=rsa-sha256 header.s=susede2_rsa header.b=bH7uu592;\n dkim=neutral header.d=suse.cz header.i=@suse.cz header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=7Q+nno7y; dkim-atps=neutral;\n spf=pass (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-16046-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org","i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=suse.cz;\n spf=pass smtp.mailfrom=suse.cz;\n dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=bH7uu592;\n dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=7Q+nno7y;\n dkim=pass (1024-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=bH7uu592;\n dkim=permerror (0-bit key) header.d=suse.cz header.i=@suse.cz\n header.b=7Q+nno7y; arc=none smtp.client-ip=195.135.223.130"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz;\n s=susede2_rsa;\n\tt=1776937601;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XqRR9BlSad+srezuM804RmmPIyv0E8jMDsRxCNOd7K8=;\n\tb=bH7uu592JdJmkqseT9n7HGh2Ulyp8v57V2q53EwmiT4dC+r3SUvlLy70mKvIMF2iP0Vqty\n\t8MEiMM4y01+8dPKAkraaau3+BjmO9E0p1A9GGMvXFPkBBQiXtrgUUgk6TNgMYiNGx7p+7L\n\tuQsJHDWJjOBdercKbK9wcrIs7NWrsqQ=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;\n\ts=susede2_ed25519; t=1776937601;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XqRR9BlSad+srezuM804RmmPIyv0E8jMDsRxCNOd7K8=;\n\tb=7Q+nno7y2cv1e415C51j1mmCjFraR8jE9DmkAMYRww09Dcb6l2Dry/RVNdQY3gTApnaj7/\n\tFZfoJeL9y1zQf/BA==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz;\n s=susede2_rsa;\n\tt=1776937601;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XqRR9BlSad+srezuM804RmmPIyv0E8jMDsRxCNOd7K8=;\n\tb=bH7uu592JdJmkqseT9n7HGh2Ulyp8v57V2q53EwmiT4dC+r3SUvlLy70mKvIMF2iP0Vqty\n\t8MEiMM4y01+8dPKAkraaau3+BjmO9E0p1A9GGMvXFPkBBQiXtrgUUgk6TNgMYiNGx7p+7L\n\tuQsJHDWJjOBdercKbK9wcrIs7NWrsqQ=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;\n\ts=susede2_ed25519; t=1776937601;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:content-type:content-type:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XqRR9BlSad+srezuM804RmmPIyv0E8jMDsRxCNOd7K8=;\n\tb=7Q+nno7y2cv1e415C51j1mmCjFraR8jE9DmkAMYRww09Dcb6l2Dry/RVNdQY3gTApnaj7/\n\tFZfoJeL9y1zQf/BA=="],"Date":"Thu, 23 Apr 2026 11:46:32 +0200","From":"Jan Kara ","To":"Junjie Cao ","Cc":"Jan Kara , tytso@mit.edu, adilger.kernel@dilger.ca,\n\tlibaokun@linux.alibaba.com, ojaswin@linux.ibm.com, ritesh.list@gmail.com,\n\tyi.zhang@huawei.com, linux-ext4@vger.kernel.org,\n linux-kernel@vger.kernel.org,\n\tstable@vger.kernel.org, syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com","Subject":"Re: [PATCH] ext4: prevent out-of-bounds read in\n ext4_read_inline_data()","Message-ID":"","References":"<20260421093138.906266-1-junjie.cao@intel.com>\n \n <20260423170527.129423-1-junjie.cao@intel.com>","Precedence":"bulk","X-Mailing-List":"linux-ext4@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20260423170527.129423-1-junjie.cao@intel.com>","X-Spam-Score":"-2.30","X-Spam-Level":"","X-Spamd-Result":"default: False [-2.30 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tSUSPICIOUS_RECIPS(1.50)[];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_RHS_NOT_FQDN(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tARC_NA(0.00)[];\n\tMISSING_XM_UA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tRCPT_COUNT_TWELVE(0.00)[12];\n\tTAGGED_RCPT(0.00)[26c4a8cab92d0cda3e3b];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com];\n\tTO_DN_SOME(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tFREEMAIL_CC(0.00)[suse.cz,mit.edu,dilger.ca,linux.alibaba.com,linux.ibm.com,gmail.com,huawei.com,vger.kernel.org,syzkaller.appspotmail.com];\n\tRCVD_COUNT_THREE(0.00)[3];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tRCVD_TLS_LAST(0.00)[];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.cz:s=susede2_rsa,suse.cz:s=susede2_ed25519];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo]","X-Spam-Status":"No, score=-1.2 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_MISSING,\n\tHEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,\n\tSPF_PASS autolearn=disabled version=4.0.1","X-Spam-Checker-Version":"SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org"}}]