#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev Thanks for the report. I believe the patch below should address the problem reported at: https://syzkaller.appspot.com/bug?extid=730517f1d3fbe54a17c7 - Ted commit dbb59b993fe5f11cb195a094fe69a7f260285a5c Author: Theodore Ts'o <tytso@xxxxxxx> Date: Sat Mar 31 18:41:59 2018 -0400 ext4: force revalidation of directory pointer after seekdir(2) A malicious user could force the directory pointer to be in an invalid spot by using seekdir(2). Use the mechanism we already have to notice if the directory has changed since the last time we called ext4_readdir() to force a revalidation of the pointer. Reported-by: syzbot+1236ce66f79263e8a862@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Theodore Ts'o <tytso@xxxxxxx> Cc: stable@xxxxxxxxxxxxxxx diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c index da87cf757f7d..6ab7c2cf7136 100644 --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -365,13 +365,15 @@ static loff_t ext4_dir_llseek(struct file *file, loff_t offset, int whence) { struct inode *inode = file->f_mapping->host; int dx_dir = is_dx_dir(inode); - loff_t htree_max = ext4_get_htree_eof(file); + loff_t ret, htree_max = ext4_get_htree_eof(file); if (likely(dx_dir)) - return generic_file_llseek_size(file, offset, whence, + ret = generic_file_llseek_size(file, offset, whence, htree_max, htree_max); else - return ext4_llseek(file, offset, whence); + ret = ext4_llseek(file, offset, whence); + file->f_version = inode_peek_iversion(inode) - 2; + return ret; } /*
