CVE-2025-40167

In the Linux kernel, the following vulnerability has been resolved:

ext4: detect invalid INLINE_DATA + EXTENTS flag combination

syzbot reported a BUGON in ext4escacheextent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal.

The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set:

EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:
comm syz.0.17: corrupted extent tree: lblk 0 < prev 66

Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, iinlineoff=164, hasinline=1, extentsflag=1

This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks

Having both flags causes ext4hasinlinedata() to return true, skipping extent tree validation in _ext4iget(). The unvalidated out-of-order extents then trigger a BUGON in ext4escache_extent() due to integer underflow when calculating hole sizes.

Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.