https://bugzilla.kernel.org/show_bug.cgi?id=200933 Theodore Tso (tytso@xxxxxxx) changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tytso@xxxxxxx --- Comment #2 from Theodore Tso (tytso@xxxxxxx) --- Created attachment 278125 --> https://bugzilla.kernel.org/attachment.cgi?id=278125&action=edit Simplified crafted image Here is a simplified crafted image. Here is also a simplified reproducer: mount poc-200933.img.simplified /mnt rmdir /mnt/foo/bar The bug is in the function which checks to see if an inline directory is empty; it is relying on the i_size of the inline directory, and if that value is larger than what is correct, we can either overrun the buffer, or as in this case, trigger a division by zero error when we find that the size of the next "directory entry" is zero. (This didn't trigger a KASAN error because it was still a legal part of the inode table block.) -- You are receiving this mail because: You are watching the assignee of the bug.
