git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/commit

author	Tadeusz Struk <tadeusz.struk@linaro.org>
	Mon, 9 May 2022 14:00:54 +0000 (16:00 +0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 18 May 2022 13:53:47 +0000 (15:53 +0200)
commit	547b54408744f4fee35a791c275f7bda66dc8757
tree	ea5a7b4c67d0eac0aa738b52928af2287590f6bf	tree
parent	fb7206fb45093a41f3c9f3c902fc2f5c9f8a796c	commit \| diff

ext4: limit length to bitmap_maxbytes - blocksize in punch_hole

BugLink: https://bugs.launchpad.net/bugs/1972281
Syzbot found an issue [1] in ext4_fallocate().
The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul,
and offset 0x1000000ul, which, when added together exceed the
bitmap_maxbytes for the inode. This triggers a BUG in
ext4_ind_remove_space(). According to the comments in this function
the 'end' parameter needs to be one block after the last block to be
removed. In the case when the BUG is triggered it points to the last
block. Modify the ext4_punch_hole() function and add constraint that
caps the length to satisfy the one before laster block requirement.

LINK: [1] https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331
LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000

Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality")
Reported-by: syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Link: https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
(cherry picked from commit 2da376228a2427501feb9d15815a45dbdbdd753e)
Reported-by: Colin King <colin.i.king@gmail.com>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>