CVE-2026-43067

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: handle wraparound when searching for blocks for indirect mapped blocks<br /> <br /> Commit 4865c768b563 ("ext4: always allocate blocks only from groups<br /> inode can use") restricts what blocks will be allocated for indirect<br /> block based files to block numbers that fit within 32-bit block<br /> numbers.<br /> <br /> However, when using a review bot running on the latest Gemini LLM to<br /> check this commit when backporting into an LTS based kernel, it raised<br /> this concern:<br /> <br /> If ac-&gt;ac_g_ex.fe_group is &gt;= ngroups (for instance, if the goal<br /> group was populated via stream allocation from s_mb_last_groups),<br /> then start will be &gt;= ngroups.<br /> <br /> Does this allow allocating blocks beyond the 32-bit limit for<br /> indirect block mapped files? The commit message mentions that<br /> ext4_mb_scan_groups_linear() takes care to not select unsupported<br /> groups. However, its loop uses group = *start, and the very first<br /> iteration will call ext4_mb_scan_group() with this unsupported<br /> group because next_linear_group() is only called at the end of the<br /> iteration.<br /> <br /> After reviewing the code paths involved and considering the LLM<br /> review, I determined that this can happen when there is a file system<br /> where some files/directories are extent-mapped and others are<br /> indirect-block mapped. To address this, add a safety clamp in<br /> ext4_mb_scan_groups().