Due to a signed vs unsigned comparison, an invalid extent where ee_block (the logical block) is so large that lblk + len overflow wasn't getting flagged as invalid. As a result, we tripped the BUG_ON(end < lblk) in ext4_es_cache_extent() when trying to mount a file system with a corrupted journal inode was corrupted. https://bugzilla.kernel.org/show_bug.cgi?id=205197 Signed-off-by: Theodore Ts'o <tytso@xxxxxxx> Cc: stable@xxxxxxxxxx --- fs/ext4/extents.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index fb0f99dc8c22..d12bc287abdc 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -367,7 +367,7 @@ ext4_ext_max_entries(struct inode *inode, int depth) static int ext4_valid_extent(struct inode *inode, struct ext4_extent *ext) { ext4_fsblk_t block = ext4_ext_pblock(ext); - int len = ext4_ext_get_actual_len(ext); + unsigned int len = ext4_ext_get_actual_len(ext); ext4_lblk_t lblock = le32_to_cpu(ext->ee_block); /* -- 2.23.0
