[PATCH] ext4: validate EA inode i_nlink in ext4_xattr_inode_iget

Next message: Ian Bridges: "[PATCH] ocfs2: fix out-of-bounds read in ocfs2_duplicate_inline_data()"
Previous message: Enzo: "Re: [PATCH 4/4] arm64: dts: allwinner: add Radxa Cubie A7S"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yun Zhou

Date: Sat Jun 13 2026 - 09:30:19 EST

Validate EA inode i_nlink early in ext4_xattr_inode_iget() to convert
a WARN_ONCE in ext4_xattr_inode_update_ref() into a graceful error
return.

When a corrupted ext4 image has an EA inode with i_nlink set to an
invalid value (e.g. 65535), the code currently allows it through and
later hits a WARN_ONCE when ref_count reaches 0. While this is not a
security or stability issue -- it only fires on crafted filesystem
images and merely prints a call trace -- it is better handled as an
early sanity check that returns -EFSCORRUPTED, consistent with how ext4
treats other on-disk corruption.

An EA inode should only ever have i_nlink of 0 (orphaned, pending
deletion) or 1 (active). Reject anything above 1 at iget time.

Reported-by: syzbot+76916a45d2294b551fd9@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=76916a45d2294b551fd9
Fixes: dec214d00e0d ("ext4: xattr inode deduplication")
Signed-off-by: Yun Zhou <yun.zhou@xxxxxxxxxxxxx>
---
fs/ext4/xattr.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 982a1f831e22..2fc41a06a446 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -448,6 +448,14 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
}
ext4_xattr_inode_set_class(inode);

+ if (inode->i_nlink > 1) {
+ ext4_error(parent->i_sb,
+ "EA inode %lu has unexpected i_nlink=%u",
+ ea_ino, inode->i_nlink);
+ iput(inode);
+ return -EFSCORRUPTED;
+ }
+
/*
* Check whether this is an old Lustre-style xattr inode. Lustre
* implementation does not have hash validation, rather it has a
--
2.43.0