{"id":"CVE-2023-53100","summary":"ext4: fix WARNING in ext4_update_inline_data","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix WARNING in ext4_update_inline_data\n\nSyzbot found the following issue:\nEXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 without journal. Quota mode: none.\nfscrypt: AES-256-CTS-CBC using implementation \"cts-cbc-aes-aesni\"\nfscrypt: AES-256-XTS using implementation \"xts-aes-aesni\"\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 5071 at mm/page_alloc.c:5525 __alloc_pages+0x30a/0x560 mm/page_alloc.c:5525\nModules linked in:\nCPU: 1 PID: 5071 Comm: syz-executor263 Not tainted 6.2.0-rc1-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:__alloc_pages+0x30a/0x560 mm/page_alloc.c:5525\nRSP: 0018:ffffc90003c2f1c0 EFLAGS: 00010246\nRAX: ffffc90003c2f220 RBX: 0000000000000014 RCX: 0000000000000000\nRDX: 0000000000000028 RSI: 0000000000000000 RDI: ffffc90003c2f248\nRBP: ffffc90003c2f2d8 R08: dffffc0000000000 R09: ffffc90003c2f220\nR10: fffff52000785e49 R11: 1ffff92000785e44 R12: 0000000000040d40\nR13: 1ffff92000785e40 R14: dffffc0000000000 R15: 1ffff92000785e3c\nFS:  0000555556c0d300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f95d5e04138 CR3: 00000000793aa000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n __alloc_pages_node include/linux/gfp.h:237 [inline]\n alloc_pages_node include/linux/gfp.h:260 [inline]\n __kmalloc_large_node+0x95/0x1e0 mm/slab_common.c:1113\n __do_kmalloc_node mm/slab_common.c:956 [inline]\n __kmalloc+0xfe/0x190 mm/slab_common.c:981\n kmalloc include/linux/slab.h:584 [inline]\n kzalloc include/linux/slab.h:720 [inline]\n ext4_update_inline_data+0x236/0x6b0 fs/ext4/inline.c:346\n ext4_update_inline_dir fs/ext4/inline.c:1115 [inline]\n ext4_try_add_inline_entry+0x328/0x990 fs/ext4/inline.c:1307\n ext4_add_entry+0x5a4/0xeb0 fs/ext4/namei.c:2385\n ext4_add_nondir+0x96/0x260 fs/ext4/namei.c:2772\n ext4_create+0x36c/0x560 fs/ext4/namei.c:2817\n lookup_open fs/namei.c:3413 [inline]\n open_last_lookups fs/namei.c:3481 [inline]\n path_openat+0x12ac/0x2dd0 fs/namei.c:3711\n do_filp_open+0x264/0x4f0 fs/namei.c:3741\n do_sys_openat2+0x124/0x4e0 fs/open.c:1310\n do_sys_open fs/open.c:1326 [inline]\n __do_sys_openat fs/open.c:1342 [inline]\n __se_sys_openat fs/open.c:1337 [inline]\n __x64_sys_openat+0x243/0x290 fs/open.c:1337\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nAbove issue happens as follows:\next4_iget\n   ext4_find_inline_data_nolock -\u003ei_inline_off=164 i_inline_size=60\next4_try_add_inline_entry\n   __ext4_mark_inode_dirty\n      ext4_expand_extra_isize_ea -\u003ei_extra_isize=32 s_want_extra_isize=44\n         ext4_xattr_shift_entries\n\t -\u003eafter shift i_inline_off is incorrect, actually is change to 176\next4_try_add_inline_entry\n  ext4_update_inline_dir\n    get_max_inline_xattr_value_size\n      if (EXT4_I(inode)-\u003ei_inline_off)\n\tentry = (struct ext4_xattr_entry *)((void *)raw_inode +\n\t\t\tEXT4_I(inode)-\u003ei_inline_off);\n        free += EXT4_XATTR_SIZE(le32_to_cpu(entry-\u003ee_value_size));\n\t-\u003eAs entry is incorrect, then 'free' may be negative\n   ext4_update_inline_data\n      value = kzalloc(len, GFP_NOFS);\n      -\u003e len is unsigned int, maybe very large, then trigger warning when\n         'kzalloc()'\n\nTo resolve the above issue we need to update 'i_inline_off' after\n'ext4_xattr_shift_entries()'.  We do not need to set\nEXT4_STATE_MAY_INLINE_DATA flag here, since ext4_mark_inode_dirty()\nalready sets this flag if needed.  Setting EXT4_STATE_MAY_INLINE_DATA\nwhen it is needed may trigger a BUG_ON in ext4_writepages().","modified":"2026-04-03T13:14:36.109400841Z","published":"2025-05-02T15:55:43.113Z","related":["SUSE-SU-2025:01918-1","SUSE-SU-2025:01966-1","SUSE-SU-2025:01983-1","SUSE-SU-2025:02173-1","SUSE-SU-2025:02262-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53100.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2b96b4a5d9443ca4cad58b0040be455803c05a42"},{"type":"WEB","url":"https://git.kernel.org/stable/c/35161cec76772f74526f5886ad4082ec48511d5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/39c5df2ca544368b44b59d0f6d80131e90763371"},{"type":"WEB","url":"https://git.kernel.org/stable/c/74d775083e9f3d9dadf9e3b5f3e0028d1ad0bd5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/92eee6a82a9a6f9f83559e17a2b6b935e1a5cd25"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a9bd94f67b27739bbe8583c52256502bd4cc7e83"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c5aa102b433b1890e1ccaa40c06826c77dda1665"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ca500cf2eceb5a8e93bf71ab97b5f7a18ecabce2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53100.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53100"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"67cf5b09a46f72e048501b84996f2f77bc42e947"},{"fixed":"c5aa102b433b1890e1ccaa40c06826c77dda1665"},{"fixed":"39c5df2ca544368b44b59d0f6d80131e90763371"},{"fixed":"74d775083e9f3d9dadf9e3b5f3e0028d1ad0bd5c"},{"fixed":"a9bd94f67b27739bbe8583c52256502bd4cc7e83"},{"fixed":"ca500cf2eceb5a8e93bf71ab97b5f7a18ecabce2"},{"fixed":"35161cec76772f74526f5886ad4082ec48511d5c"},{"fixed":"92eee6a82a9a6f9f83559e17a2b6b935e1a5cd25"},{"fixed":"2b96b4a5d9443ca4cad58b0040be455803c05a42"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53100.json"}}],"schema_version":"1.7.5"}