Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp3847228ioa;
        Tue, 26 Apr 2022 10:53:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwVKhcsG5HPYX06nNgzFB9Xpc8DJ8Y8k62Arhe5AjXDR6kVzL5UBFGGDZWQrQYJd0ardsJX
X-Received: by 2002:a63:b46:0:b0:3ab:754f:bcb2 with SMTP id a6-20020a630b46000000b003ab754fbcb2mr6354673pgl.249.1650995608409;
        Tue, 26 Apr 2022 10:53:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650995608; cv=none;
        d=google.com; s=arc-20160816;
        b=xP6Jn275+Fj0CKBIqNYrjknnZY4kvmWgCZFs2Xcf47aC2ht9qZWENAVAGkRWZgXXjt
         Ze9jmm7fO6QD/r9Yy2FFZAm5y5FwoYsOYkqkkXG7tnilPjNaOog7UUs3AQlD1LhCLwUy
         MOnjT0xoCfkvPqw0H+89dC2coXsDkSaQmafFcBxEoPSWfQyqxxl3QDfjh4TAqN3ngpzG
         mIs3WZacBoYHfKyc9POQ2v/mK0VCiyPGR6CexDn4qTEc6RGe1P4nT1Mn27a65jGkmumH
         YNF7HQV+DGiI0zOL0Th9pIr2XcPSpysaOK8dWTQxjjV7lM5H0n7yLy62AEk9BmO9PNzn
         /cnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=yH5ThuYyd4k0e4TmmoIkE18dBZaQDtYPxtSMQYSR/vY=;
        b=JZS5G3NTE9txPJyV6s/2dScWrh8GAKF3KSBWh+f+LVQuEfhM5O7dSyhDxl4L5RY5zl
         +6Hir8t+VcCx6XnlUVLhC3d1R1bmZsdEyhy8I0pppwk3YwyWl5Hu8nNl+xDRowr6f00c
         XrTYHk7KerrNN1MyYFb2JRwhouwY4RfobqtJmMRPNcli14k+j33cleT1ZQg2cNpfodoP
         52Lr68fQVNkwEMpgUcld0nXLqSmLCQ8+Ji3YfAPGcg29R/GfIc+vsNH3kRU+U+CQIXjR
         GxLk31s8jpFd2j0teQZhHWGhIr9NnLIPtuekxHPWKTWxcIPj1rPr2mbDLbY8/Z/uTUwh
         Er1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IjZKQwiy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id n15-20020a63f80f000000b003aa16714acbsi20494639pgh.173.2022.04.26.10.53.11;
        Tue, 26 Apr 2022 10:53:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=IjZKQwiy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347533AbiDZJUT (ORCPT <rfc822;andre.cachopas@gmail.com>
        + 99 others); Tue, 26 Apr 2022 05:20:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44652 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345849AbiDZI5B (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Apr 2022 04:57:01 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 001A98300C;
        Tue, 26 Apr 2022 01:41:40 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id A8AC1B81CED;
        Tue, 26 Apr 2022 08:41:39 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 17279C385A4;
        Tue, 26 Apr 2022 08:41:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1650962498;
        bh=Wky2LVegEVbuR6r6OwodDevRj0k5Ql7r04s9AbO0HOM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=IjZKQwiyFFuGETzD+UKJv+Vyv5d450ofyw+ezR3/AOi2gztryhWujKnM/5Lhb8VkW
         1gLdWGad0x1t/aZowGpI6p+XkYtdzhnOJjSE8bSLJDurWr+Iy5IJBbq0agNaNIYiX8
         1DiFzIfEF8PMsoOR61vqPTBIGvp2dkOvpb4K55EE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com,
        Tadeusz Struk <tadeusz.struk@linaro.org>,
        Theodore Tso <tytso@mit.edu>, stable@kernel.org
Subject: [PATCH 5.15 116/124] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole
Date:   Tue, 26 Apr 2022 10:21:57 +0200
Message-Id: <20220426081750.588477544@linuxfoundation.org>
X-Mailer: git-send-email 2.36.0
In-Reply-To: <20220426081747.286685339@linuxfoundation.org>
References: <20220426081747.286685339@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Tadeusz Struk <tadeusz.struk@linaro.org>

commit 2da376228a2427501feb9d15815a45dbdbdd753e upstream.

Syzbot found an issue [1] in ext4_fallocate().
The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul,
and offset 0x1000000ul, which, when added together exceed the
bitmap_maxbytes for the inode. This triggers a BUG in
ext4_ind_remove_space(). According to the comments in this function
the 'end' parameter needs to be one block after the last block to be
removed. In the case when the BUG is triggered it points to the last
block. Modify the ext4_punch_hole() function and add constraint that
caps the length to satisfy the one before laster block requirement.

LINK: [1] https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331
LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000

Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality")
Reported-by: syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Link: https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/inode.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3945,7 +3945,8 @@ int ext4_punch_hole(struct file *file, l
 	struct super_block *sb = inode->i_sb;
 	ext4_lblk_t first_block, stop_block;
 	struct address_space *mapping = inode->i_mapping;
-	loff_t first_block_offset, last_block_offset;
+	loff_t first_block_offset, last_block_offset, max_length;
+	struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
 	handle_t *handle;
 	unsigned int credits;
 	int ret = 0, ret2 = 0;
@@ -3988,6 +3989,14 @@ int ext4_punch_hole(struct file *file, l
 		   offset;
 	}
 
+	/*
+	 * For punch hole the length + offset needs to be within one block
+	 * before last range. Adjust the length if it goes beyond that limit.
+	 */
+	max_length = sbi->s_bitmap_maxbytes - inode->i_sb->s_blocksize;
+	if (offset + length > max_length)
+		length = max_length - offset;
+
 	if (offset & (sb->s_blocksize - 1) ||
 	    (offset + length) & (sb->s_blocksize - 1)) {
 		/*