bisecting fixing commit since 09688c0166e76ce2fb85e86b9d99be8b0084cdf9 building syzkaller on 9e8eaa75a18a5cf8102e862be692c0781759e51b testing commit 09688c0166e76ce2fb85e86b9d99be8b0084cdf9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: aae7b3ddb433daa06f5f98cc3ebca6c8173ccc43ad8f4d303bb96dd88263a57a all runs: crashed: kernel BUG in ext4_ind_remove_space testing current HEAD c5eb0a61238dd6faf37f58c9ce61c9980aaffd7a testing commit c5eb0a61238dd6faf37f58c9ce61c9980aaffd7a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d999ba02b7dfcd69e369d066c871ee59fbde7c6ea58dcbcd735e39159d3dbb7e all runs: OK # git bisect start c5eb0a61238dd6faf37f58c9ce61c9980aaffd7a 09688c0166e76ce2fb85e86b9d99be8b0084cdf9 Bisecting: 8118 revisions left to test after this (roughly 13 steps) [25fd2d41b505d0640bdfe67aa77c549de2d3c18a] selftests: kselftest framework: provide "finished" helper testing commit 25fd2d41b505d0640bdfe67aa77c549de2d3c18a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e9f47f7ba2867ae63ecb432dc599092d77a9ea1bc246939059967a2786e588f6 all runs: crashed: kernel BUG in ext4_ind_remove_space # git bisect good 25fd2d41b505d0640bdfe67aa77c549de2d3c18a Bisecting: 4223 revisions left to test after this (roughly 12 steps) [ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3] Merge tag 'pinctrl-v5.18-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 61db4b313ef2181852318ab279ed44b348f31eb2b500c519a86ecd540f2d320e all runs: crashed: kernel BUG in ext4_ind_remove_space # git bisect good ff61bc81b3feebcef4d0431a92e2e40e8d4fe8b3 Bisecting: 2094 revisions left to test after this (roughly 11 steps) [6a34fdcca452457a530980be2561dab06da3627f] Merge tag 'rtc-5.18' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit 6a34fdcca452457a530980be2561dab06da3627f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 322406563baad71d1bfc16fa25a47897673654ac19a8d243e17e5672f7d39f79 all runs: crashed: kernel BUG in ext4_ind_remove_space # git bisect good 6a34fdcca452457a530980be2561dab06da3627f Bisecting: 1044 revisions left to test after this (roughly 10 steps) [fb649bda6f5642f173ee3429a965c769554f23d8] Merge tag 'block-5.18-2022-04-15' of git://git.kernel.dk/linux-block testing commit fb649bda6f5642f173ee3429a965c769554f23d8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2a647f9c5f804d95dc4182b0477e0823494e1d154cc5ce02a6d7e44af83f4e0a all runs: crashed: kernel BUG in ext4_ind_remove_space # git bisect good fb649bda6f5642f173ee3429a965c769554f23d8 Bisecting: 494 revisions left to test after this (roughly 9 steps) [249aca0d3d631660aa3583c6a3559b75b6e971b4] Merge tag 'net-5.18-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 249aca0d3d631660aa3583c6a3559b75b6e971b4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: da4722d8704e4525735fb370283409735f5e2c48b3f6eceea1bf4ba929d75904 all runs: OK # git bisect bad 249aca0d3d631660aa3583c6a3559b75b6e971b4 Bisecting: 276 revisions left to test after this (roughly 8 steps) [7200095feadfb9792b744a5a6e20249ce77bc6d7] Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux testing commit 7200095feadfb9792b744a5a6e20249ce77bc6d7 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4d31e6d593ab2fcf8565cf29cea2d1e3e0a779a1805b9dc526772fc61c809fb7 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: crashed: kernel BUG in ext4_ind_remove_space run #2: crashed: kernel BUG in ext4_ind_remove_space run #3: crashed: kernel BUG in ext4_ind_remove_space run #4: crashed: kernel BUG in ext4_ind_remove_space run #5: crashed: kernel BUG in ext4_ind_remove_space run #6: crashed: kernel BUG in ext4_ind_remove_space run #7: crashed: kernel BUG in ext4_ind_remove_space run #8: crashed: kernel BUG in ext4_ind_remove_space run #9: crashed: kernel BUG in ext4_ind_remove_space # git bisect good 7200095feadfb9792b744a5a6e20249ce77bc6d7 Bisecting: 140 revisions left to test after this (roughly 7 steps) [cf424ef014ac30b0da27125dd1fbdf10b0d3a520] Merge tag 'for-5.18/fbdev-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev testing commit cf424ef014ac30b0da27125dd1fbdf10b0d3a520 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 955ad60a8598ae7b91b38d17fc1e15bb688d00d4b97a4ad1671357323178392f all runs: OK # git bisect bad cf424ef014ac30b0da27125dd1fbdf10b0d3a520 Bisecting: 68 revisions left to test after this (roughly 6 steps) [13bc32bad7059d6c5671e9d037e6e3ed001cc0f4] Merge tag 'drm-fixes-2022-04-23' of git://anongit.freedesktop.org/drm/drm testing commit 13bc32bad7059d6c5671e9d037e6e3ed001cc0f4 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ef7add6d6f855fcbccc8ca4872676a3c2591d3463433d10fad6240576087c220 all runs: OK # git bisect bad 13bc32bad7059d6c5671e9d037e6e3ed001cc0f4 Bisecting: 38 revisions left to test after this (roughly 5 steps) [2e5991fa39e4eec45eb37a680bfdff18129cefd9] Merge tag 'ata-5.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata testing commit 2e5991fa39e4eec45eb37a680bfdff18129cefd9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0dc6695e2dd67506135949bed010a37904a95a91f52488aa7cba39cb301ba5d2 all runs: crashed: kernel BUG in ext4_ind_remove_space # git bisect good 2e5991fa39e4eec45eb37a680bfdff18129cefd9 Bisecting: 18 revisions left to test after this (roughly 4 steps) [1f5e98e723a0be814181524a7e6aaf87a805cdc9] Merge tag 'io_uring-5.18-2022-04-22' of git://git.kernel.dk/linux-block testing commit 1f5e98e723a0be814181524a7e6aaf87a805cdc9 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: c4365aafced6a5b4604b8da394ff4a2787b8efa9af17ab2c6983cafab7986551 all runs: OK # git bisect bad 1f5e98e723a0be814181524a7e6aaf87a805cdc9 Bisecting: 9 revisions left to test after this (roughly 3 steps) [23e3d7f7061f8682c751c46512718f47580ad8f0] jbd2: fix a potential race while discarding reserved buffers after an abort testing commit 23e3d7f7061f8682c751c46512718f47580ad8f0 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 74f856ba2e09859b3431bf71156f4b6892ce0853740ab29833b871a793ae2e28 all runs: OK # git bisect bad 23e3d7f7061f8682c751c46512718f47580ad8f0 Bisecting: 4 revisions left to test after this (roughly 2 steps) [2da376228a2427501feb9d15815a45dbdbdd753e] ext4: limit length to bitmap_maxbytes - blocksize in punch_hole testing commit 2da376228a2427501feb9d15815a45dbdbdd753e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0163b5c71862daf309b04bbc4424e687512e8a741c8477ed6b9b151cbbc5278d all runs: OK # git bisect bad 2da376228a2427501feb9d15815a45dbdbdd753e Bisecting: 2 revisions left to test after this (roughly 1 step) [a2b0b205d125f27cddfb4f7280e39affdaf46686] ext4: fix symlink file size not match to file content testing commit a2b0b205d125f27cddfb4f7280e39affdaf46686 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3a0e5ac4e3fe7bb419b0d46de9a40bd0b3d68d90cc769d22e11a1a14b5adde01 all runs: crashed: kernel BUG in ext4_ind_remove_space # git bisect good a2b0b205d125f27cddfb4f7280e39affdaf46686 Bisecting: 0 revisions left to test after this (roughly 1 step) [c186f0887fe7061a35cebef024550ec33ef8fbd8] ext4: fix use-after-free in ext4_search_dir testing commit c186f0887fe7061a35cebef024550ec33ef8fbd8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f156a2811fa010de602cb90d5e2cb275ce3b46efa1afdbe732f763e51fb03cd1 all runs: crashed: kernel BUG in ext4_ind_remove_space # git bisect good c186f0887fe7061a35cebef024550ec33ef8fbd8 2da376228a2427501feb9d15815a45dbdbdd753e is the first bad commit commit 2da376228a2427501feb9d15815a45dbdbdd753e Author: Tadeusz Struk Date: Thu Mar 31 13:05:15 2022 -0700 ext4: limit length to bitmap_maxbytes - blocksize in punch_hole Syzbot found an issue [1] in ext4_fallocate(). The C reproducer [2] calls fallocate(), passing size 0xffeffeff000ul, and offset 0x1000000ul, which, when added together exceed the bitmap_maxbytes for the inode. This triggers a BUG in ext4_ind_remove_space(). According to the comments in this function the 'end' parameter needs to be one block after the last block to be removed. In the case when the BUG is triggered it points to the last block. Modify the ext4_punch_hole() function and add constraint that caps the length to satisfy the one before laster block requirement. LINK: [1] https://syzkaller.appspot.com/bug?id=b80bd9cf348aac724a4f4dff251800106d721331 LINK: [2] https://syzkaller.appspot.com/text?tag=ReproC&x=14ba0238700000 Fixes: a4bb6b64e39a ("ext4: enable "punch hole" functionality") Reported-by: syzbot+7a806094edd5d07ba029@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk Link: https://lore.kernel.org/r/20220331200515.153214-1-tadeusz.struk@linaro.org Signed-off-by: Theodore Ts'o Cc: stable@kernel.org fs/ext4/inode.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) culprit signature: 0163b5c71862daf309b04bbc4424e687512e8a741c8477ed6b9b151cbbc5278d parent signature: f156a2811fa010de602cb90d5e2cb275ce3b46efa1afdbe732f763e51fb03cd1 revisions tested: 16, total time: 3h4m6.582376525s (build: 1h38m47.577961847s, test: 1h23m37.085030863s) first good commit: 2da376228a2427501feb9d15815a45dbdbdd753e ext4: limit length to bitmap_maxbytes - blocksize in punch_hole recipients (to): ["adilger.kernel@dilger.ca" "linux-ext4@vger.kernel.org" "tadeusz.struk@linaro.org" "tytso@mit.edu" "tytso@mit.edu"] recipients (cc): ["linux-kernel@vger.kernel.org"]