Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp4396636ioa; Wed, 27 Apr 2022 02:59:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxAjrZjun/QyS4thCefJdH3HmzJTr+BGIrFV3oSRyGIZViTS0xE/ziOHBgLATzvX4+MtY6H X-Received: by 2002:a63:e706:0:b0:3a9:fb93:2011 with SMTP id b6-20020a63e706000000b003a9fb932011mr23660858pgi.259.1651053549795; Wed, 27 Apr 2022 02:59:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651053549; cv=none; d=google.com; s=arc-20160816; b=diZyyyfV+CXrwA2sEPsEVuEWb7UcwcizF+W2t+6hKUjdTycTXpMhCzTOnpMM1jK7kA /2jH6+E9XKIJdhZtJHGqozGSyXRxirgzgy58hgnVLTICoc56SRxhjO/9KFrkyJqiQQAo Z27jcoMV4Vvh0CtDPWO+MpOiLk4igrnmHzzSJ24W4NsuAhmPRDBJGg1LdgZA2iR22d4/ Nd/hKgl19I/LG12zhprMX49DQkaOq4TeQvJleZNb47rlhQA1+ukzihE5qynRIfmXr44E wYNRjO7cB+djDh1OfCvq+GHUwVUq8uyf57JCQa3h+5yvTWDmA9S4hL4hFneVIYTt8H35 Uwyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=X+Smy1o2JWHe6JDjKr+ME0CMXUHOc5cNbn1zWRGgd30=; b=WnQWOlo6Vn3d7nMoUfdPzTwWSfgiVAIeHOwhPH8X5kKRGgNvQ0nX1p+kLWE6Sza5DJ i/mdOIrCHfzdWlAmg7u98NGs93puUdUfeIUarTD88Yq54MU2Zn7EOpWcp/CoHsp3i2Co QGys2HRsujojM2E1oTQmwkLtYD/Xs9qwEYSqLZYpTndM/Z5w9fFvFqJkRcQ0Pq3nuLs+ RQV6LX1YE/5VB95l1cUgCe4vvvmbCuPzvqIbJlJ5ASCvhsE05BtV2woXVYZmftYfLRVK oZzuu9sze7TTR1doyu6Rv0+Y7rGmzDE2lq3JW5x4OpV0Tz1FrOjsdUF0AXp1vjdoTAbl R8cw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jnogcxvw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id cq27-20020a056a00331b00b0050d3f619dd3si852805pfb.292.2022.04.27.02.59.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Apr 2022 02:59:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jnogcxvw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 642112CC6DC; Wed, 27 Apr 2022 02:27:29 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345492AbiDZImc (ORCPT + 99 others); Tue, 26 Apr 2022 04:42:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39904 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345529AbiDZIen (ORCPT ); Tue, 26 Apr 2022 04:34:43 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4D7878FD8; Tue, 26 Apr 2022 01:27:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 89850B81A2F; Tue, 26 Apr 2022 08:27:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 068A4C385A0; Tue, 26 Apr 2022 08:27:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1650961654; bh=IJ+nbtrDHGWw4Lcw0tSqjxDYcCIa1vJufjN0F60rhA4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jnogcxvw8uO6CpRKwshHvBwGPF04EyiPOmywK0lB2IZ79ktK+DAAIKYiew07fPnMG uaq550Ug8/aHPqk6/RT1zFGXvY4kWtlOiaskgNW+7iF0iJ0GYs7vl56+86MVfH2DRs SjyKy6hwgACh3/ZKAXn1nGOMPrwhvwYX0TlFyiqE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com, Tadeusz Struk , Theodore Tso , stable@kernel.org Subject: [PATCH 4.19 40/53] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole Date: Tue, 26 Apr 2022 10:21:20 +0200 Message-Id: <20220426081736.823404701@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220426081735.651926456@linuxfoundation.org> References: <20220426081735.651926456@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tadeusz Struk commit 2da376228a2427501feb9d15815a45dbdbdd753e upstream. Syzbot found an issue [1] in ext4_fallocate(). The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul, and offset 0x1000000ul, which, when added together exceed the bitmap_maxbytes for the inode. This triggers a BUG in ext4_ind_remove_space(). According to the comments in this function the 'end' parameter needs to be one block after the last block to be removed. In the case when the BUG is triggered it points to the last block. Modify the ext4_punch_hole() function and add constraint that caps the length to satisfy the one before laster block requirement. LINK: [1] https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331 LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000 Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality") Reported-by: syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk Link: https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/ext4/inode.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4314,7 +4314,8 @@ int ext4_punch_hole(struct inode *inode, struct super_block *sb = inode->i_sb; ext4_lblk_t first_block, stop_block; struct address_space *mapping = inode->i_mapping; - loff_t first_block_offset, last_block_offset; + loff_t first_block_offset, last_block_offset, max_length; + struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); handle_t *handle; unsigned int credits; int ret = 0; @@ -4360,6 +4361,14 @@ int ext4_punch_hole(struct inode *inode, offset; } + /* + * For punch hole the length + offset needs to be within one block + * before last range. Adjust the length if it goes beyond that limit. + */ + max_length = sbi->s_bitmap_maxbytes - inode->i_sb->s_blocksize; + if (offset + length > max_length) + length = max_length - offset; + if (offset & (sb->s_blocksize - 1) || (offset + length) & (sb->s_blocksize - 1)) { /*