Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp7670375rwl;
        Fri, 30 Dec 2022 12:14:06 -0800 (PST)
X-Google-Smtp-Source: AMrXdXthyqavj9f5gIx8lh9DCG62/rzV7XHr6CD0P+oqyHuRzPUwkBRvyag+2pCTafbN1M71veDX
X-Received: by 2002:a17:906:9f1b:b0:7c0:d6ba:c934 with SMTP id fy27-20020a1709069f1b00b007c0d6bac934mr27650059ejc.13.1672431246565;
        Fri, 30 Dec 2022 12:14:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672431246; cv=none;
        d=google.com; s=arc-20160816;
        b=NaSMzNmvXgpKuqlpPVUrRTiFi99qCVjQzGNRyaZJLJtBAxhpEFjXVXjvWydBng6xmJ
         rNoY/2yEDCa6LjjSh2WvkB/1DdZDd94ZhJl1E0HebowAXq/mP03AlWIxzY0mMeCLD5zd
         J2LBTfF7MaAbNDkEYjFm43Br7hzPW+6slzmTiTe3BQ+EvzlRMY2NXN7KAnKRluMdDDfb
         aVRSs5UeuRoMGRKEliv7Lf9DOpGtNybZmdoXY5EL99ds9ebdH3GWAHPg1bHiS8Jtr8Gu
         9xWlMs5y3jdo/Hvwd3RTGghNXJzl1wDv+vxJE51Aobz/CSTJu7MitkWfjKMYX3haiC/o
         bmXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=hkXHnI4N8NOUpb1rU5XODN2qbCVpY8EIXJ5yUIOHfrQ=;
        b=amSobBKwRfqCMQ72KaR90lnGVF4I83FNhqI2fxb8OrHq/YG/u+6oW9M0qa1MjA+/BH
         9ctbxYzSz35l2ixfyg6KF7Jbg4KQxdFssMDz1IH40sm6EuX2TE0I8WJ7mLWVhu2yxpn/
         b//vjT7muHT//q79BAKb773flF5A9TktHvQNPx1MfX91B2ShcI1634K9mjwDiKxIn3IG
         FbeWrspoW1270MmJLokoDq6bYNiBGHzTPBhvu5Gg7E6+wBju2ozoPjJr2nzBm3oPcuTZ
         QEnPvbpwViJOe7aYwNNfZp9DzXMyru2g0PsqQkXEosztuoSLjpsfj0mjTAEjWzvE3dTS
         9j1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hGtHN1KD;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id ho15-20020a1709070e8f00b007c0fa82837esi20346079ejc.222.2022.12.30.12.13.35;
        Fri, 30 Dec 2022 12:14:06 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hGtHN1KD;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229464AbiL3UHW (ORCPT <rfc822;aminbrickmover@gmail.com>
        + 99 others); Fri, 30 Dec 2022 15:07:22 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45818 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231294AbiL3UHV (ORCPT
        <rfc822;linux-ext4@vger.kernel.org>); Fri, 30 Dec 2022 15:07:21 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E69D1A83E;
        Fri, 30 Dec 2022 12:07:21 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id B5044B81C06;
        Fri, 30 Dec 2022 20:07:19 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1ECF2C433D2;
        Fri, 30 Dec 2022 20:07:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1672430838;
        bh=CzogiAjhL4DuL/nHxlTU3rMK1OkNXJmD0GC4sgYlGRQ=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=hGtHN1KDMxv5opnQs7Y3ceAgE0qoqBzp62nMP0l0IT+T3CgsyzTgp78UK3tfTvMo1
         G8vHWplNMe60VpdE0b4U+hxhB9/yl8kXBgcT8Yn9lwo7RVSn2zOxrk8Ven5P42H3SS
         4VNsw/iM+H4LeAqHON0BBj+UMF225Kqcv+bMsaClsZx34LjWetFYJnnYakVQqS0rKN
         EdYuEU2g8xvJYJgCqxIvSkl/wbctMcHo7Ral1VdmsndfBOvPGaifKO8tKZZ+DCUDWY
         zqz0ECE5Y7PRihQI53wGcwi5lSyUkb2gSKWgOHEZzpcs1OXX2RTMainA++G6oBKrHL
         nc79XePL9qsnw==
Date:   Fri, 30 Dec 2022 12:07:16 -0800
From:   Eric Biggers <ebiggers@kernel.org>
To:     Tudor Ambarus <tudor.ambarus@linaro.org>
Cc:     tytso@mit.edu, adilger.kernel@dilger.ca,
        linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
        joneslee@google.com,
        syzbot+0827b4b52b5ebf65f219@syzkaller.appspotmail.com,
        stable@vger.kernel.org
Subject: Re: [PATCH v2] ext4: Fix possible use-after-free in ext4_find_extent
Message-ID: <Y69E9DMEk+yEFDNQ@sol.localdomain>
References: <20221230062931.2344157-1-tudor.ambarus@linaro.org>
 <Y66LkPumQjHC2U7d@sol.localdomain>
 <cf1be149-392d-afa0-092a-c3426868f852@linaro.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cf1be149-392d-afa0-092a-c3426868f852@linaro.org>
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

On Fri, Dec 30, 2022 at 01:42:45PM +0200, Tudor Ambarus wrote:
> 
> Seems that __ext4_iget() is not called on writes.

It is called when the inode is first accessed.  Usually that's when the file is
opened.

So the question is why didn't it validate the inode's extent header, or
alternatively how did the inode's extent header get corrupted afterwards.

> You can find below the sequence of calls that leads to the bug.

A stack trace is not a reproducer.  Things must have happened before that point.

- Eric