Skip to content

Commit 57295e8

Browse files
eraykaradagtytso
eraykaradag
authored and
tytso
committed
ext4: guard against EA inode refcount underflow in xattr update
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn. Reported-by: [email protected] Fixes: https://syzbot.org/bug?extid=0be4f339a8218d2a5bb1 Cc: [email protected] Co-developed-by: Albin Babu Varghese <[email protected]> Signed-off-by: Albin Babu Varghese <[email protected]> Signed-off-by: Ahmet Eray Karadag <[email protected]> Message-ID: <[email protected]> Signed-off-by: Theodore Ts'o <[email protected]>
1 parent 04a9157 commit 57295e8

File tree

1 file changed

+8
-7
lines changed

1 file changed

+8
-7
lines changed

fs/ext4/xattr.c

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1019,7 +1019,7 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
10191019
int ref_change)
10201020
{
10211021
struct ext4_iloc iloc;
1022-
s64 ref_count;
1022+
u64 ref_count;
10231023
int ret;
10241024

10251025
inode_lock_nested(ea_inode, I_MUTEX_XATTR);
@@ -1029,13 +1029,17 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
10291029
goto out;
10301030

10311031
ref_count = ext4_xattr_inode_get_ref(ea_inode);
1032+
if ((ref_count == 0 && ref_change < 0) || (ref_count == U64_MAX && ref_change > 0)) {
1033+
ext4_error_inode(ea_inode, __func__, __LINE__, 0,
1034+
"EA inode %lu ref wraparound: ref_count=%lld ref_change=%d",
1035+
ea_inode->i_ino, ref_count, ref_change);
1036+
ret = -EFSCORRUPTED;
1037+
goto out;
1038+
}
10321039
ref_count += ref_change;
10331040
ext4_xattr_inode_set_ref(ea_inode, ref_count);
10341041

10351042
if (ref_change > 0) {
1036-
WARN_ONCE(ref_count <= 0, "EA inode %lu ref_count=%lld",
1037-
ea_inode->i_ino, ref_count);
1038-
10391043
if (ref_count == 1) {
10401044
WARN_ONCE(ea_inode->i_nlink, "EA inode %lu i_nlink=%u",
10411045
ea_inode->i_ino, ea_inode->i_nlink);
@@ -1044,9 +1048,6 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
10441048
ext4_orphan_del(handle, ea_inode);
10451049
}
10461050
} else {
1047-
WARN_ONCE(ref_count < 0, "EA inode %lu ref_count=%lld",
1048-
ea_inode->i_ino, ref_count);
1049-
10501051
if (ref_count == 0) {
10511052
WARN_ONCE(ea_inode->i_nlink != 1,
10521053
"EA inode %lu i_nlink=%u",

0 commit comments

Comments
 (0)