CVE-2026-45985

In the Linux kernel, the following vulnerability has been resolved:

ext4: don't set EXT4 GET BLOCKS CONVERT when splitting before submitting I/O

When allocating blocks during within-EOF DIO and writeback with dioread nolock enabled, EXT4 GET BLOCKS PRE IO was set to split an existing large unwritten extent. However, EXT4 GET BLOCKS CONVERT was set when calling ext4 split convert extents(), which may potentially result in stale data issues.

Assume we have an unwritten extent, and then DIO writes the second half.

[UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree |<- ->| ----> dio write this range

First, ext4 iomap alloc() call ext4 map blocks() with EXT4 GET BLOCKS PRE IO, EXT4 GET BLOCKS UNWRIT EXT and EXT4 GET BLOCKS CREATE flags set. ext4 map blocks() find this extent and call ext4 split convert extents() with EXT4 GET BLOCKS CONVERT and the above flags set.

Then, ext4 split convert extents() calls ext4 split extent() with EXT4 EXT MAY ZEROOUT, EXT4 EXT MARK UNWRIT2 and EXT4 EXT DATA VALID2 flags set, and it calls ext4 split extent at() to split the second half with EXT4 EXT DATA VALID2, EXT4 EXT MARK UNWRIT1, EXT4 EXT MAY ZEROOUT and EXT4 EXT MARK UNWRIT2 flags set. However, ext4 split extent at() failed to insert extent since a temporary lack -ENOSPC. It zeroes out the first half but convert the entire on-disk extent to written since the EXT4 EXT DATA VALID2 flag set, but left the second half as unwritten in the extent status tree.

[0000000000SSSSSS] data S: stale data, 0: zeroed [WWWWWWWWWWWWWWWW] on-disk extent W: written extent [WWWWWWWWWWUUUUUU] extent status tree

Finally, if the DIO failed to write data to the disk, the stale data in the second half will be exposed once the cached extent entry is gone.

Fix this issue by not passing EXT4 GET BLOCKS CONVERT when splitting an unwritten extent before submitting I/O, and make ext4 split convert extents() to zero out the entire extent range to zero for this case, and also mark the extent in the extent status tree for consistency.