summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuto Ohnuki <ytohnuki@amazon.com>2026-06-30 17:42:56 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-04 13:38:39 +0200
commit3462a3f0716d27af51896dc8688bcf0628fb17ee (patch)
tree74852b7ec5347caada9838915bcb62a31107109d
parenta1250962bacb667976877c08a2044ec7dc708353 (diff)
downloadlinux-stable-3462a3f0716d27af51896dc8688bcf0628fb17ee.tar.gz
linux-stable-3462a3f0716d27af51896dc8688bcf0628fb17ee.zip
ext4: add bounds check for inline data length in ext4_read_inline_page
[ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ] ext4_read_inline_page() does not validate that the inline data length fits within a page before copying data. If the inline size exceeds PAGE_SIZE due to filesystem corruption, this could lead to a kernel memory write beyond the page boundary. Add a bounds check after computing len, returning -EFSCORRUPTED if the value exceeds PAGE_SIZE. The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in ext4_read_inline_folio(). In 6.1 and earlier, the function is still named ext4_read_inline_page() and the BUG_ON was never present, so this patch adds the bounds check directly. Fixes: 46c7f254543d ("ext4: add read support for inline data") Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r--fs/ext4/inline.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 129f7ff56b43..edaa88202260 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -513,6 +513,14 @@ static int ext4_read_inline_page(struct inode *inode, struct page *page)
goto out;
len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode));
+ if (len > PAGE_SIZE) {
+ ext4_error_inode(inode, __func__, __LINE__, 0,
+ "inline size %zu exceeds PAGE_SIZE", len);
+ ret = -EFSCORRUPTED;
+ brelse(iloc.bh);
+ goto out;
+ }
+
kaddr = kmap_atomic(page);
ret = ext4_read_inline_data(inode, kaddr, len, &iloc);
flush_dcache_page(page);