Re: [syzbot] [ext4?] KASAN: use-after-free Write in ext4_insert_dentry

[Edward Adam Davis]

directory entry space is too smaller than file name?

#syz test


diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 790db7eac6c2..cd1e1e8e0c04 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2098,15 +2098,19 @@ void ext4_insert_dentry(struct inode *dir,
 	if (de->inode) {
 		struct ext4_dir_entry_2 *de1 =
 			(struct ext4_dir_entry_2 *)((char *)de + nlen);
+		printk("old name: %s, old nl: %d, oonl: %d, %s\n", de->name, nlen, de->name_len, __func__);
 		de1->rec_len = ext4_rec_len_to_disk(rlen - nlen, buf_size);
 		de->rec_len = ext4_rec_len_to_disk(nlen, buf_size);
 		de = de1;
+		rlen = ext4_rec_len_from_disk(de->rec_len, buf_size);
 	}
 	de->file_type = EXT4_FT_UNKNOWN;
 	de->inode = cpu_to_le32(inode->i_ino);
 	ext4_set_de_type(inode->i_sb, de, inode->i_mode);
-	de->name_len = fname_len(fname);
-	memcpy(de->name, fname_name(fname), fname_len(fname));
+	de->name_len = min_t(int, fname_len(fname), rlen - 8);
+	printk("rec length: %d, buf_size: %d, old nl: %d, name length:%d, %s\n", 
+		rlen, buf_size, nlen, fname_len(fname), __func__);
+	memcpy(de->name, fname_name(fname), de->name_len);
 	if (ext4_hash_in_dirent(dir)) {
 		struct dx_hash_info *hinfo = &fname->hinfo;