Home

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDD--] D: valid data |<- ->| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [--DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-30 | Assigner Linux

Product status

Default status
unaffected

ddf854e59166533b0f46ba32cd6cd9aca3197d1b (git) before 28db4bfc6f82fd20e2aadb7fc162244109a4eb31
affected

58ddae5d77b1db3a27b891c75a8fa120239ac092 (git) before f0931a5c17005a0c4fc35bd1a001245effc3354b
affected

d17857b4fb9ba5745b59be0ef38fd532991fccbf (git) before d8ee559fccdef713f058cfe5f2c03dc9b18be3b1
affected

d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88 (git) before c2ee51d684adca7645e4aa74adca13f6750390bc
affected

7015fcf473796e1d2d876f241bd9e0c36f3d4eef (git) before a1b962a821e7a52d48212ae269b45808b4411267
affected

1bf6974822d1dba86cf11b5f05498581cf3488a2 (git) before 6d882ea3b0931b43530d44149b79fcd4ffc13030
affected

Default status
unaffected

6.1.167 (semver) before 6.1.168
affected

References

git.kernel.org/...c/28db4bfc6f82fd20e2aadb7fc162244109a4eb31

git.kernel.org/...c/f0931a5c17005a0c4fc35bd1a001245effc3354b

git.kernel.org/...c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1

git.kernel.org/...c/c2ee51d684adca7645e4aa74adca13f6750390bc

git.kernel.org/...c/a1b962a821e7a52d48212ae269b45808b4411267

git.kernel.org/...c/6d882ea3b0931b43530d44149b79fcd4ffc13030

cve.org (CVE-2026-45892)

nvd.nist.gov (CVE-2026-45892)

Download JSON