[PATCH 5.10.y] ext4: add bounds check for inline data length in ext4_read_inline_page
From: Yuto Ohnuki
Date: Tue Jun 30 2026 - 12:46:33 EST
[ Upstream commit 356227096eb66e41b23caf7045e6304877322edf ]
ext4_read_inline_page() does not validate that the inline data length
fits within a page before copying data. If the inline size exceeds
PAGE_SIZE due to filesystem corruption, this could lead to a kernel
memory write beyond the page boundary.
Add a bounds check after computing len, returning -EFSCORRUPTED if the
value exceeds PAGE_SIZE.
The upstream commit replaced a BUG_ON(len > PAGE_SIZE) in
ext4_read_inline_folio(). In 6.1 and earlier, the function is still named
ext4_read_inline_page() and the BUG_ON was never present, so this patch
adds the bounds check directly.
Fixes: 46c7f254543d ("ext4: add read support for inline data")
Signed-off-by: Yuto Ohnuki <ytohnuki@xxxxxxxxxx>
---
fs/ext4/inline.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 129f7ff56b43..edaa88202260 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -513,6 +513,14 @@ static int ext4_read_inline_page(struct inode *inode, struct page *page)
goto out;
len = min_t(size_t, ext4_get_inline_size(inode), i_size_read(inode));
+ if (len > PAGE_SIZE) {
+ ext4_error_inode(inode, __func__, __LINE__, 0,
+ "inline size %zu exceeds PAGE_SIZE", len);
+ ret = -EFSCORRUPTED;
+ brelse(iloc.bh);
+ goto out;
+ }
+
kaddr = kmap_atomic(page);
ret = ext4_read_inline_data(inode, kaddr, len, &iloc);
flush_dcache_page(page);
--
2.50.1
Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284
Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705