In the Linux kernel, the following vulnerability has been resolved:
ext4: fix out-of-bound read in ext4xattrinodedecref_all()
There's issue as follows: BUG: KASAN: use-after-free in ext4xattrinodedecref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: _dumpstack lib/dumpstack.c:82 [inline] dumpstack+0xbe/0xfd lib/dumpstack.c:123 printaddressdescription.constprop.0+0x1e/0x280 mm/kasan/report.c:400 _kasanreport.cold+0x6c/0x84 mm/kasan/report.c:560 kasanreport+0x3a/0x50 mm/kasan/report.c:585 ext4xattrinodedecrefall+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4xattrdeleteinode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4evictinode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iputfinal fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4orphancleanup fs/ext4/super.c:3298 [inline] ext4fillsuper+0x8c57/0xba40 fs/ext4/super.c:5300 mountbdev+0x355/0x410 fs/super.c:1446 legacygettree+0xfe/0x220 fs/fscontext.c:611 vfsgettree+0x8d/0x2f0 fs/super.c:1576 donewmount fs/namespace.c:2983 [inline] pathmount+0x119a/0x1ad0 fs/namespace.c:3316 domount+0xfc/0x110 fs/namespace.c:3329 _dosysmount fs/namespace.c:3540 [inline] _sesysmount+0x219/0x2e0 fs/namespace.c:3514 dosyscall64+0x33/0x40 arch/x86/entry/common.c:46 entrySYSCALL64after_hwframe+0x67/0xd1
Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4xattrdeleteinode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattrcheckinode() check if xattr if valid in inode. In fact, we can directly verify in ext4igetextrainode(), so that there is no divergent verification.