This is a note to let you know that I've just added the patch titled ext4: check for directory entries too close to block end to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ext4-check-for-directory-entries-too-close-to-block-end.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 109ba779d6cca2d519c5dd624a3276d03e21948e Mon Sep 17 00:00:00 2001 From: Jan Kara <jack@xxxxxxx> Date: Mon, 2 Dec 2019 18:02:13 +0100 Subject: ext4: check for directory entries too close to block end From: Jan Kara <jack@xxxxxxx> commit 109ba779d6cca2d519c5dd624a3276d03e21948e upstream. ext4_check_dir_entry() currently does not catch a case when a directory entry ends so close to the block end that the header of the next directory entry would not fit in the remaining space. This can lead to directory iteration code trying to access address beyond end of current buffer head leading to oops. CC: stable@xxxxxxxxxxxxxxx Signed-off-by: Jan Kara <jack@xxxxxxx> Link: https://lore.kernel.org/r/20191202170213.4761-3-jack@xxxxxxx Signed-off-by: Theodore Ts'o <tytso@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/ext4/dir.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -76,6 +76,11 @@ int __ext4_check_dir_entry(const char *f error_msg = "rec_len is too small for name_len"; else if (unlikely(((char *) de - buf) + rlen > size)) error_msg = "directory entry overrun"; + else if (unlikely(((char *) de - buf) + rlen > + size - EXT4_DIR_REC_LEN(1) && + ((char *) de - buf) + rlen != size)) { + error_msg = "directory entry too close to block end"; + } else if (unlikely(le32_to_cpu(de->inode) > le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count))) error_msg = "inode out of bounds"; Patches currently in stable-queue which might be from jack@xxxxxxx are queue-4.14/ext4-check-for-directory-entries-too-close-to-block-end.patch queue-4.14/ext4-fix-ext4_empty_dir-for-directories-with-holes.patch