The use of "ext4_get_inode_loc()" inside "ext4_xattr_inode_dec_ref_all()" lacks of proper error handling. If it can't find correct "loc" for "parent" inode, the value of "end" can't be guaranteed as valid. Link: https://scan5.scan.coverity.com/#/project-view/36179/10063?selectedIssue=1645904 Signed-off-by: I Hsin Cheng <richard120310@xxxxxxxxx> --- I wonder if there's an default value for "end" ? so we can still loop through certain amount of inode without return directly from the error. If we use "iloc" from with ext4_get_inode_loc() return an error, it might corrupt some inodes it shouldn't be able to. Wish to know what's the correct and thorough error handling here, I'll make the change if it's possible. Or it's guaranteed that the error never occurs? Best regards, I Hsin Cheng --- fs/ext4/xattr.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index 7ab8f2e8e815..416500ae5248 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1169,7 +1169,11 @@ ext4_xattr_inode_dec_ref_all(handle_t *handle, struct inode *parent, if (block_csum) end = (void *)bh->b_data + bh->b_size; else { - ext4_get_inode_loc(parent, &iloc); + err = ext4_get_inode_loc(parent, &iloc); + if (err) { + EXT4_ERROR_INODE(parent, "inode loc (error %d)", err); + return; + } end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size; } -- 2.43.0
