In the Linux kernel, the following vulnerability has been resolved:

ext4: fix bug_on in __estreesearch caused by bad quota inode

We got a issue as fllows:

kernel BUG at fs/ext4/extents_status.c:202! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352 RIP: 0010:__estreesearch.isra.0+0xb8/0xe0 RSP: 0018:ffffc90001227900 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8 RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001 R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10 R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000 FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4escacheextent+0xe2/0x210 ext4cacheextents+0xd2/0x110 ext4findextent+0x5d5/0x8c0 ext4extmapblocks+0x9c/0x1d30 ext4mapblocks+0x431/0xa50 ext4getblk+0x82/0x340 ext4bread+0x14/0x110 ext4quotaread+0xf0/0x180 v2readheader+0x24/0x90 v2checkquotafile+0x2f/0xa0 dquotloadquotasb+0x26c/0x760 dquotloadquotainode+0xa5/0x190 ext4enable_quotas+0x14c/0x300 __ext4fillsuper+0x31cc/0x32c0 ext4fillsuper+0x115/0x2d0 gettreebdev+0x1d2/0x360 ext4gettree+0x19/0x30 vfsgettree+0x26/0xe0 pathmount+0x81d/0xfc0 domount+0x8d/0xc0 __x64sysmount+0xc0/0x160 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x63/0xcd

</TASK>

Above issue may happen as follows:

ext4fillsuper ext4orphancleanup ext4enablequotas ext4quotaenable ext4iget --> get error inode <5> ext4extcheckinode --> Wrong imode makes it escape inspection makebadinode(inode) --> EXT4BOOTLOADERINO set imode dquotloadquotainode vfssetupquotainode --> check pass dquotloadquotasb v2checkquotafile v2readheader ext4quotaread ext4bread ext4getblk ext4mapblocks ext4extmapblocks ext4findextent ext4cacheextents ext4escache_extent _estreesearch.isra.0 ext4esend --> Wrong extents trigger BUGON

In the above issue, susrquotainum is set to 5, but inode<5> contains incorrect imode and disordered extents. Because 5 is EXT4BOOTLOADERINO, the ext4extcheckinode check in the ext4iget function can be bypassed, finally, the extents that are not checked trigger the BUG_ON in the __estreesearch function. To solve this issue, check whether the inode is badinode in vfssetupquotainode().