summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuto Ohnuki <ytohnuki@amazon.com>2026-06-30 17:39:24 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-04 13:39:39 +0200
commit636e8d85a36ab6c31aafd04ee66a69b18eebee7b (patch)
tree975d0b9f7553cc15142f8706600ac220208196bf
parente574af95234afc3c725988bbc1fdeb46b9f386a4 (diff)
downloadlinux-stable-636e8d85a36ab6c31aafd04ee66a69b18eebee7b.tar.gz
linux-stable-636e8d85a36ab6c31aafd04ee66a69b18eebee7b.zip
ext4: add bounds check for inline data length in ext4_read_inline_page
[ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ] ext4_read_inline_page() does not validate that the inline data length fits within a page before copying data. If the inline size exceeds PAGE_SIZE due to filesystem corruption, this could lead to a kernel memory write beyond the page boundary. Add a bounds check after computing len, returning -EFSCORRUPTED if the value exceeds PAGE_SIZE. The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in ext4_read_inline_folio(). In 6.1 and earlier, the function is still named ext4_read_inline_page() and the BUG_ON was never present, so this patch adds the bounds check directly. Fixes: 46c7f254543d ("ext4: add read support for inline data") Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r--fs/ext4/inline.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index c5b1f9af2309..5d5f99ed9746 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -517,6 +517,14 @@ static int ext4_read_inline_page(struct inode *inode, struct page *page)
goto out;
len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode));
+ if (len > PAGE_SIZE) {
+ ext4_error_inode(inode, __func__, __LINE__, 0,
+ "inline size %zu exceeds PAGE_SIZE", len);
+ ret = -EFSCORRUPTED;
+ brelse(iloc.bh);
+ goto out;
+ }
+
kaddr = kmap_atomic(page);
ret = ext4_read_inline_data(inode, kaddr, len, &iloc);
flush_dcache_page(page);