Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026
CVE-2026-45858
CVE-2026-45858
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
When allocating initialized blocks from a large unwritten extent, or when splitting an unwritten extent during end I/O and converting it to initialized, there is currently a potential issue of stale data if the extent needs to be split in the middle.
0 A B N [UUUUUUUUUUUU] U: unwritten extent [--DDDDDDDD--] D: valid data |<- ->| ----> this range needs to be initialized
ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and mark the entire extent from 0 to N as written.
0 A B N [WWWWWWWWWWWW] W: written extent [SSDDDDDDDDZZ] Z: zeroed, S: stale data
ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and left a stale written extent from 0 to A.
0 A B N [WW|WWWWWWWWWW] [SS|DDDDDDDDZZ]
Fix this by pass EXT4_EXT_DATA_PARTIAL_VALID1 to ext4_split_extent_at() when splitting at B, don't convert the entire extent to written and left it as unwritten after zeroing out B to N. The remaining work is just like the standard two-part split. ext4_split_extent() will pass the EXT4_EXT_DATA_VALID2 flag when it calls ext4_split_extent_at() for the second time, allowing it to properly handle the split. If the split is successful, it will keep extent from 0 to A as unwritten.
Affected products
2Patches
107015fcf47379ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZhang YiNov 29, 2025Fixed in 6.19.4via kernel-cna
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 1ef23a2a94d535..91b56de60c9055 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 1ef23a2a94d535..91b56de60c9055 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
58ddae5d77b1ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZhang YiNov 29, 2025Fixed in 6.6.130via kernel-cna
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 18520281e1b5fd..fd9517dbf633e6 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3296,6 +3296,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3371,7 +3380,9 @@ static int ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) { -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 18520281e1b5fd..fd9517dbf633e6 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3296,6 +3296,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3371,7 +3380,9 @@ static int ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) { -- cgit 1.3-korg
d67c8ecf3d8fext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZhang YiNov 29, 2025Fixed in 6.18.14via kernel-cna
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ac28bd371d8958..68172b85847d9f 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ac28bd371d8958..68172b85847d9f 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
d17857b4fb9bext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZhang YiNov 29, 2025Fixed in 6.12.75via kernel-cna
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 529ca0fb371d90..4b8eafac5140e0 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3308,6 +3308,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3377,7 +3386,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 529ca0fb371d90..4b8eafac5140e0 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3308,6 +3308,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3377,7 +3386,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
1bf6974822d1ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZhang YiNov 29, 2025Fixed in 7.0via kernel-cna
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 8d5ca450aa5d23..1fee84ea20af1b 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 8d5ca450aa5d23..1fee84ea20af1b 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
7015fcf47379ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 1ef23a2a94d535..91b56de60c9055 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 1ef23a2a94d535..91b56de60c9055 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
d17857b4fb9bext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 529ca0fb371d90..4b8eafac5140e0 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3308,6 +3308,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3377,7 +3386,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 529ca0fb371d90..4b8eafac5140e0 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3308,6 +3308,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3377,7 +3386,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
d67c8ecf3d8fext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ac28bd371d8958..68172b85847d9f 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ac28bd371d8958..68172b85847d9f 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
58ddae5d77b1ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 18520281e1b5fd..fd9517dbf633e6 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3296,6 +3296,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3371,7 +3380,9 @@ static int ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) { -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 18520281e1b5fd..fd9517dbf633e6 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3296,6 +3296,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3371,7 +3380,9 @@ static int ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) { -- cgit 1.3-korg
1bf6974822d1ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
2 files changed · +24 −4
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 8d5ca450aa5d23..1fee84ea20af1b 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
fs/ext4/extents.c+12 −2 modifieddiff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 8d5ca450aa5d23..1fee84ea20af1b 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -3310,6 +3310,15 @@ static struct ext4_ext_path *ext4_split_extent_at(handle_t *handle, } if (!err) { + /* + * The first half contains partially valid data, the + * splitting of this extent has not been completed, fix + * extent length and ext4_split_extent() split will the + * first half again. + */ + if (split_flag & EXT4_EXT_DATA_PARTIAL_VALID1) + goto fix_extent_len; + /* update the extent length and mark as initialized */ ex->ee_len = cpu_to_le16(ee_len); ext4_ext_try_to_merge(handle, inode, path, ex); @@ -3379,7 +3388,9 @@ static struct ext4_ext_path *ext4_split_extent(handle_t *handle, split_flag1 |= EXT4_EXT_MARK_UNWRIT1 | EXT4_EXT_MARK_UNWRIT2; if (split_flag & EXT4_EXT_DATA_VALID2) - split_flag1 |= EXT4_EXT_DATA_ENTIRE_VALID1; + split_flag1 |= map->m_lblk > ee_block ? + EXT4_EXT_DATA_PARTIAL_VALID1 : + EXT4_EXT_DATA_ENTIRE_VALID1; path = ext4_split_extent_at(handle, inode, path, map->m_lblk + map->m_len, split_flag1, flags1); if (IS_ERR(path)) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Incorrect flag selection in ext4_split_extent() causes the entire unwritten extent to be zeroed and marked written when a split at the right boundary fails, leaving stale data in the left portion that is later split off as a written extent."
Attack vector
An attacker can trigger this bug by performing file I/O that causes the ext4 filesystem to allocate initialized blocks from a large unwritten extent, or by triggering end I/O that splits an unwritten extent and converts it to initialized. When the extent needs to be split in the middle (at logical block B, with valid data in range A–B), ext4_split_extent() first attempts to split at B with the EXT4_EXT_DATA_ENTIRE_VALID1 flag. If that split fails due to temporary lack of space, the code zeroes out B–N and marks the entire extent 0–N as written, corrupting the valid data in 0–A. A subsequent successful split at A then leaves a written extent from 0–A containing stale data [patch_id=2662025].
Affected code
The vulnerability is in fs/ext4/extents.c, in the functions ext4_split_extent_at() and ext4_split_extent() [patch_id=2662025]. The faulty logic is in the flag assignment at line ~3379 where EXT4_EXT_DATA_ENTIRE_VALID1 was unconditionally set, and in the missing early-exit path in ext4_split_extent_at() that would otherwise prevent marking the first half as initialized when the split is partial.
What the fix does
The patch modifies two locations in fs/ext4/extents.c [patch_id=2662025]. In ext4_split_extent_at(), a new check for EXT4_EXT_DATA_PARTIAL_VALID1 is added: when this flag is set and the split succeeds, the code jumps to fix_extent_len instead of marking the extent as initialized, keeping the first half unwritten. In ext4_split_extent(), the flag passed to the first split call is changed from unconditionally EXT4_EXT_DATA_ENTIRE_VALID1 to conditionally EXT4_EXT_DATA_PARTIAL_VALID1 when map->m_lblk > ee_block (i.e., when the split point is not at the start of the extent). This ensures that if the first split fails and zeroes out the tail, the left portion remains unwritten and will be properly handled by the second split call.
Preconditions
- configThe filesystem must be ext4 and use extents (the default for most ext4 configurations).
- inputAn unwritten extent must exist that needs to be split in the middle (i.e., the split point is not at the start of the extent).
- inputThe first split attempt at the right boundary must fail due to temporary lack of space (e.g., insufficient journal space).
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/1bf6974822d1dba86cf11b5f05498581cf3488a2nvd
- git.kernel.org/stable/c/58ddae5d77b1db3a27b891c75a8fa120239ac092nvd
- git.kernel.org/stable/c/7015fcf473796e1d2d876f241bd9e0c36f3d4eefnvd
- git.kernel.org/stable/c/d17857b4fb9ba5745b59be0ef38fd532991fccbfnvd
- git.kernel.org/stable/c/d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88nvd
News mentions
0No linked articles in our index yet.