Forwarded: [PATCH] ext4: hold buffer reference in ext4_read_inline_dir to prevent UAF
From: syzbot
Date: Tue Jan 13 2026 - 08:05:45 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: [PATCH] ext4: hold buffer reference in ext4_read_inline_dir to prevent UAF
Author: kartikey406@xxxxxxxxx
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
Hold an additional buffer reference during ext4_read_inline_data() to
prevent use-after-free. The iloc buffer_head could be freed by another
thread while ext4_read_inline_data() is accessing it, leading to a
use-after-free read.
The fix ensures the buffer remains valid during the critical section:
- get_bh() before calling ext4_read_inline_data() increments refcount
- Even if another thread calls brelse(), refcount stays above zero
- Buffer cannot be freed while we hold the reference
- brelse() after ext4_read_inline_data() decrements refcount safely
Reported-by: syzbot+6986a30df88382d1f7bf@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=6986a30df88382d1f7bf
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
fs/ext4/inline.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 1f6bc05593df..b7dcbef4d5aa 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -1395,14 +1395,25 @@ int ext4_read_inline_dir(struct file *file,
}
inline_size = ext4_get_inline_size(inode);
+
+ /*
+ * Hold an additional reference to the iloc buffer to prevent
+ * use-after-free. The buffer could be freed by another thread
+ * during ext4_read_inline_data() if we don't hold a reference.
+ */
+ get_bh(iloc.bh);
+
dir_buf = kmalloc(inline_size, GFP_NOFS);
if (!dir_buf) {
ret = -ENOMEM;
+ brelse(iloc.bh);
up_read(&EXT4_I(inode)->xattr_sem);
goto out;
}
ret = ext4_read_inline_data(inode, dir_buf, inline_size, &iloc);
+ brelse(iloc.bh);
+
up_read(&EXT4_I(inode)->xattr_sem);
if (ret < 0)
goto out;
--
2.43.0