On 6/15/26 23:24, Jaegeuk Kim wrote: > On 06/15, Chao Yu wrote: >> On 6/3/26 23:49, Samuel Moelius wrote: >>> Inline dentry conversion copies names out of the inline dentry area >>> before checking that each recorded name length fits in the available >>> filename slots. >>> >>> A corrupted image can therefore make the conversion path read past >>> the inline filename storage while building the regular dentry block. >>> >>> Validate each inline dentry name length against the inline filename >>> area before copying it. >>> >>> Assisted-by: Codex:gpt-5.5-cyber-preview >>> Signed-off-by: Samuel Moelius <[email protected]> >>> --- >>> fs/f2fs/inline.c | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c >>> index 7aabfc9b43cb..4584dfbe3fb8 100644 >>> --- a/fs/f2fs/inline.c >>> +++ b/fs/f2fs/inline.c >>> @@ -507,6 +507,10 @@ static int f2fs_add_inline_entries(struct inode *dir, >>> void *inline_dentry) >>> bit_pos++; >>> continue; >>> } >>> + if (unlikely(le16_to_cpu(de->name_len) > F2FS_NAME_LEN || >>> + bit_pos + >>> GET_DENTRY_SLOTS(le16_to_cpu(de->name_len)) > >>> + d.max)) >>> + return -EFSCORRUPTED; >> >> err = -EFSCORRUPTED; >> goto punch_dentry_pages; > > Applied with it.
Reviewed-by: Chao Yu <[email protected]> Thanks, > >> >> Thanks, >> >>> >>> /* >>> * We only need the disk_name and hash to move the dentry. >> _______________________________________________ Linux-f2fs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
