CVE-2026-31452

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: convert inline data to extents when truncate exceeds inline size<br /> <br /> Add a check in ext4_setattr() to convert files from inline data storage<br /> to extent-based storage when truncate() grows the file size beyond the<br /> inline capacity. This prevents the filesystem from entering an<br /> inconsistent state where the inline data flag is set but the file size<br /> exceeds what can be stored inline.<br /> <br /> Without this fix, the following sequence causes a kernel BUG_ON():<br /> <br /> 1. Mount filesystem with inode that has inline flag set and small size<br /> 2. truncate(file, 50MB) - grows size but inline flag remains set<br /> 3. sendfile() attempts to write data<br /> 4. ext4_write_inline_data() hits BUG_ON(write_size &gt; inline_capacity)<br /> <br /> The crash occurs because ext4_write_inline_data() expects inline storage<br /> to accommodate the write, but the actual inline capacity (~60 bytes for<br /> i_block + ~96 bytes for xattrs) is far smaller than the file size and<br /> write request.<br /> <br /> The fix checks if the new size from setattr exceeds the inode&amp;#39;s actual<br /> inline capacity (EXT4_I(inode)-&gt;i_inline_size) and converts the file to<br /> extent-based storage before proceeding with the size change.<br /> <br /> This addresses the root cause by ensuring the inline data flag and file<br /> size remain consistent during truncate operations.