[PATCH] ext4: Fix block validation on non-journal fs in __ext4_iget()

From: Nguyen Dinh Phi <phind.uet@gmail.com>
To: "Theodore Ts'o" <tytso@mit.edu>,
	Andreas Dilger <adilger.kernel@dilger.ca>
Cc: Nguyen Dinh Phi <phind.uet@gmail.com>,
	syzbot+c7358a3cd05ee786eb31@syzkaller.appspotmail.com,
	linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] ext4: Fix block validation on non-journal fs in __ext4_iget()
Date: Thu, 21 Apr 2022 03:23:12 +0800	[thread overview]
Message-ID: <20220420192312.1655305-1-phind.uet@gmail.com> (raw)

Syzbot report following KERNEL BUG:
	kernel BUG at fs/ext4/extents_status.c:899!
	....
	Call Trace:
	 <TASK>
	 ext4_cache_extents+0x13e/0x2d0 fs/ext4/extents.c:518
	 ext4_find_extent+0x8f6/0xd10 fs/ext4/extents.c:916
	 ext4_ext_map_blocks+0x1e2/0x5f30 fs/ext4/extents.c:4098
	 ext4_map_blocks+0x9ca/0x18a0 fs/ext4/inode.c:563
	 ext4_getblk+0x553/0x6b0 fs/ext4/inode.c:849
	 ext4_bread_batch+0x7c/0x550 fs/ext4/inode.c:923
	 __ext4_find_entry+0x482/0x1050 fs/ext4/namei.c:1600
	 ext4_lookup_entry fs/ext4/namei.c:1701 [inline]
	 ext4_lookup fs/ext4/namei.c:1769 [inline]
	 ext4_lookup+0x4fc/0x730 fs/ext4/namei.c:1760
	 __lookup_slow+0x24c/0x480 fs/namei.c:1707
	 lookup_slow fs/namei.c:1724 [inline]
	 walk_component+0x40f/0x6a0 fs/namei.c:2020
	 link_path_walk.part.0+0x7ef/0xf70 fs/namei.c:2347
	 link_path_walk fs/namei.c:2272 [inline]
	 path_openat+0x266/0x2940 fs/namei.c:3605
	 do_filp_open+0x1aa/0x400 fs/namei.c:3636
	 do_sys_openat2+0x16d/0x4d0 fs/open.c:1214
	 do_sys_open fs/open.c:1230 [inline]
	 __do_sys_openat fs/open.c:1246 [inline]
	 __se_sys_openat fs/open.c:1241 [inline]
	 __x64_sys_openat+0x13f/0x1f0 fs/open.c:1241
	 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	 entry_SYSCALL_64_after_hwframe+0x44/0xae
	 </TASK>

The reason is fast commit recovery path will skip block validation in
__ext4_iget(), it allows syzbot be able to mount a corrupted non-journal
filesystem and cause kernel BUG when accessing it.

Fix it by adding a condition checking.

Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Reported-by: syzbot+c7358a3cd05ee786eb31@syzkaller.appspotmail.com
---
 fs/ext4/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 560e56b42829..66c86d85081e 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4951,7 +4951,7 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
 		goto bad_inode;
 	} else if (!ext4_has_inline_data(inode)) {
 		/* validate the block references in the inode */
-		if (!(EXT4_SB(sb)->s_mount_state & EXT4_FC_REPLAY) &&
+		if (!(journal && EXT4_SB(sb)->s_mount_state & EXT4_FC_REPLAY) &&
 			(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) ||
 			(S_ISLNK(inode->i_mode) &&
 			!ext4_inode_is_fast_symlink(inode)))) {
-- 
2.25.1

