APPLIED[B]: [PATCH 1/1] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

Luke Nowakowski-Krijger luke.nowakowskikrijger at canonical.com
Mon May 9 18:36:53 UTC 2022 

Applied to bionic/linux master-next

Thanks!

- Luke

On Mon, May 9, 2022 at 7:01 AM Paolo Pisati <paolo.pisati at canonical.com>
wrote:

> From: Tadeusz Struk <tadeusz.struk at linaro.org>
>
> BugLink: https://bugs.launchpad.net/bugs/196947
>
> Syzbot found an issue [1] in ext4_fallocate().
> The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul,
> and offset 0x1000000ul, which, when added together exceed the
> bitmap_maxbytes for the inode. This triggers a BUG in
> ext4_ind_remove_space(). According to the comments in this function
> the 'end' parameter needs to be one block after the last block to be
> removed. In the case when the BUG is triggered it points to the last
> block. Modify the ext4_punch_hole() function and add constraint that
> caps the length to satisfy the one before laster block requirement.
>
> LINK: [1]
> https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331
> LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000
>
> Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality")
> Reported-by: syzbot+7a806094edd5d07ba029 at syzkaller.appspotmail.com
> Signed-off-by: Tadeusz Struk <tadeusz.struk at linaro.org>
> Link:
> https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org
> Signed-off-by: Theodore Ts'o <tytso at mit.edu>
> Cc: stable at kernel.org
> (cherry picked from commit 2da376228a2427501feb9d15815a45dbdbdd753e)
> Reported-by: Colin King <colin.i.king at gmail.com>
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
> ---
>  fs/ext4/inode.c | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 54d8bdd46b9f..d22b2a522ef1 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -4314,7 +4314,8 @@ int ext4_punch_hole(struct inode *inode, loff_t
> offset, loff_t length)
>         struct super_block *sb = inode->i_sb;
>         ext4_lblk_t first_block, stop_block;
>         struct address_space *mapping = inode->i_mapping;
> -       loff_t first_block_offset, last_block_offset;
> +       loff_t first_block_offset, last_block_offset, max_length;
> +       struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
>         handle_t *handle;
>         unsigned int credits;
>         int ret = 0;
> @@ -4360,6 +4361,14 @@ int ext4_punch_hole(struct inode *inode, loff_t
> offset, loff_t length)
>                    offset;
>         }
>
> +       /*
> +        * For punch hole the length + offset needs to be within one block
> +        * before last range. Adjust the length if it goes beyond that
> limit.
> +        */
> +       max_length = sbi->s_bitmap_maxbytes - inode->i_sb->s_blocksize;
> +       if (offset + length > max_length)
> +               length = max_length - offset;
> +
>         if (offset & (sb->s_blocksize - 1) ||
>             (offset + length) & (sb->s_blocksize - 1)) {
>                 /*
> --
> 2.25.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220509/be59bf9b/attachment-0001.html>

More information about the kernel-team mailing list