[PATCH] ext4: avoid BUG_ON() in ext4_get_inline_entry()

Next message: Tycho Andersen: "[PATCH v1 2/4] crypto/ccp: Do not initialize SNP for ioctl(SNP_COMMIT)"
Previous message: Rafael J. Wysocki: "Re: [PATCH 0/5] Improvements to PCI hibernate path"
Next in thread: Jan Kara: "Re: [PATCH] ext4: avoid BUG_ON() in ext4_get_inline_entry()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vineet Agarwal

Date: Mon Apr 27 2026 - 12:24:34 EST

Corrupted inline directory metadata can cause offset to exceed
the inline data size through rec_len processing in
empty_inline_dir().

This triggers BUG_ON() in ext4_get_inline_entry(), causing a
kernel panic before ext4_check_dir_entry() can handle the
corruption gracefully.

Replace BUG_ON() with a NULL return and handle the invalid
offset in the caller by emitting a warning and exiting safely.

This prevents a kernel panic from corrupted inline directory
metadata.

Signed-off-by: Vineet Agarwal <agarwal.vineet2006@xxxxxxxxx>
---
fs/ext4/inline.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 8045e4ff270c..bca9936ed6d0 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1718,7 +1718,8 @@ ext4_get_inline_entry(struct inode *inode,
{
void *inline_pos;

- BUG_ON(offset > ext4_get_inline_size(inode));
+ if (offset > ext4_get_inline_size(inode))
+ return NULL;

if (offset < EXT4_MIN_INLINE_DATA_SIZE) {
inline_pos = (void *)ext4_raw_inode(iloc)->i_block;
@@ -1773,6 +1774,12 @@ bool empty_inline_dir(struct inode *dir, int *has_inline_data)
while (offset < inline_len) {
de = ext4_get_inline_entry(dir, &iloc, offset,
&inline_pos, &inline_size);
+ if (!de) {
+ ext4_warning(dir->i_sb,
+ "bad inline directory (dir #%llu) - invalid offset",
+ dir->i_ino);
+ goto out;
+ }
if (ext4_check_dir_entry(dir, NULL, de,
iloc.bh, inline_pos,
inline_size, offset)) {
--
2.54.0