APPLIED[Jammy]: [PATCH 1/1] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

Mon May 9 16:33:10 UTC 2022

Thanks for handling this so promptly!

On 09/05/2022 17:29, Kleber Souza wrote:
> 
> 
> On 09.05.22 16:00, Paolo Pisati wrote:
>> From: Tadeusz Struk <tadeusz.struk at linaro.org>
>>
>> BugLink: https://bugs.launchpad.net/bugs/196947
>>
>> Syzbot found an issue [1] in ext4_fallocate().
>> The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul,
>> and offset 0x1000000ul, which, when added together exceed the
>> bitmap_maxbytes for the inode. This triggers a BUG in
>> ext4_ind_remove_space(). According to the comments in this function
>> the 'end' parameter needs to be one block after the last block to be
>> removed. In the case when the BUG is triggered it points to the last
>> block. Modify the ext4_punch_hole() function and add constraint that
>> caps the length to satisfy the one before laster block requirement.
>>
>> LINK: [1] 
>> https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331 
>>
>> LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000
>>
>> Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality")
>> Reported-by: syzbot+7a806094edd5d07ba029 at syzkaller.appspotmail.com
>> Signed-off-by: Tadeusz Struk <tadeusz.struk at linaro.org>
>> Link: 
>> https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org 
>>
>> Signed-off-by: Theodore Ts'o <tytso at mit.edu>
>> Cc: stable at kernel.org
>> (cherry picked from commit 2da376228a2427501feb9d15815a45dbdbdd753e)
>> Reported-by: Colin King <colin.i.king at gmail.com>
>> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
> 
> Applied to impish:linux with some fuzz.
> 
> Thanks,
> Kleber
> 
>> ---
>>   fs/ext4/inode.c | 11 ++++++++++-
>>   1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
>> index 54d8bdd46b9f..d22b2a522ef1 100644
>> --- a/fs/ext4/inode.c
>> +++ b/fs/ext4/inode.c
>> @@ -4314,7 +4314,8 @@ int ext4_punch_hole(struct inode *inode, loff_t 
>> offset, loff_t length)
>>       struct super_block *sb = inode->i_sb;
>>       ext4_lblk_t first_block, stop_block;
>>       struct address_space *mapping = inode->i_mapping;
>> -    loff_t first_block_offset, last_block_offset;
>> +    loff_t first_block_offset, last_block_offset, max_length;
>> +    struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
>>       handle_t *handle;
>>       unsigned int credits;
>>       int ret = 0;
>> @@ -4360,6 +4361,14 @@ int ext4_punch_hole(struct inode *inode, loff_t 
>> offset, loff_t length)
>>              offset;
>>       }
>> +    /*
>> +     * For punch hole the length + offset needs to be within one block
>> +     * before last range. Adjust the length if it goes beyond that 
>> limit.
>> +     */
>> +    max_length = sbi->s_bitmap_maxbytes - inode->i_sb->s_blocksize;
>> +    if (offset + length > max_length)
>> +        length = max_length - offset;
>> +
>>       if (offset & (sb->s_blocksize - 1) ||
>>           (offset + length) & (sb->s_blocksize - 1)) {
>>           /*