Re: [PATCH] ext4: avoid BUG_ON() in ext4_get_inline_entry()
From: Jan Kara
Date: Tue Apr 28 2026 - 04:02:03 EST
On Mon 27-04-26 21:50:20, Vineet Agarwal wrote:
> Corrupted inline directory metadata can cause offset to exceed
> the inline data size through rec_len processing in
> empty_inline_dir().
>
> This triggers BUG_ON() in ext4_get_inline_entry(), causing a
> kernel panic before ext4_check_dir_entry() can handle the
> corruption gracefully.
>
> Replace BUG_ON() with a NULL return and handle the invalid
> offset in the caller by emitting a warning and exiting safely.
>
> This prevents a kernel panic from corrupted inline directory
> metadata.
>
> Signed-off-by: Vineet Agarwal <agarwal.vineet2006@xxxxxxxxx>
I guess this is motivated by some syskaller fuzzing (would be good to
reference). It however doesn't explain how the BUG_ON can trigger when
empty_inline_dir() just did:
inline_len = ext4_get_inline_size(dir);
...
while (offset < inline_len) {
de = ext4_get_inline_entry(dir, &iloc, offset, ...)
I suspect modification of the fs image while being mounted which is not
something we care about.
Honza
> ---
> fs/ext4/inline.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
> index 8045e4ff270c..bca9936ed6d0 100644
> --- a/fs/ext4/inline.c
> +++ b/fs/ext4/inline.c
> @@ -1718,7 +1718,8 @@ ext4_get_inline_entry(struct inode *inode,
> {
> void *inline_pos;
>
> - BUG_ON(offset > ext4_get_inline_size(inode));
> + if (offset > ext4_get_inline_size(inode))
> + return NULL;
>
> if (offset < EXT4_MIN_INLINE_DATA_SIZE) {
> inline_pos = (void *)ext4_raw_inode(iloc)->i_block;
> @@ -1773,6 +1774,12 @@ bool empty_inline_dir(struct inode *dir, int *has_inline_data)
> while (offset < inline_len) {
> de = ext4_get_inline_entry(dir, &iloc, offset,
> &inline_pos, &inline_size);
> + if (!de) {
> + ext4_warning(dir->i_sb,
> + "bad inline directory (dir #%llu) - invalid offset",
> + dir->i_ino);
> + goto out;
> + }
> if (ext4_check_dir_entry(dir, NULL, de,
> iloc.bh, inline_pos,
> inline_size, offset)) {
> --
> 2.54.0
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR