In the Linux kernel, the following vulnerability has been resolved:

ext4: fix bugon ext4mbuseinode_pa

Hulk Robot reported a BUG_ON:

kernel BUG at fs/ext4/mballoc.c:3211! [...] RIP: 0010:ext4mbmarkdiskspaceused.cold+0x85/0x136f [...] Call Trace: ext4mbnewblocks+0x9df/0x5d30 ext4extmapblocks+0x1803/0x4d80 ext4mapblocks+0x3a4/0x1a10 ext4writepages+0x126d/0x2c30 dowritepages+0x7f/0x1b0 _filemapfdatawriterange+0x285/0x3b0 filewriteandwaitrange+0xb1/0x140 ext4syncfile+0x1aa/0xca0 vfsfsyncrange+0xfb/0x260 dofsync+0x48/0xa0

[...]

Above issue may happen as follows:

dofsync vfsfsyncrange ext4syncfile filewriteandwait_range _filemapfdatawriterange dowritepages ext4writepages mpagemapandsubmitextent mpagemaponeextent ext4mapblocks ext4mbnewblocks ext4mbnormalizerequest

start + size <= ac->acoex.felogical ext4mbregularallocator ext4mbsimplescangroup ext4mbusebestfound ext4mbnewpreallocation ext4mbnewinodepa ext4mbuseinodepa set ac->acbex.felen <= 0 ext4mbmarkdiskspaceused BUGON(ac->acbex.felen <= 0);

we can easily reproduce this problem with the following commands: fallocate -l100M disk mkfs.ext4 -b 1024 -g 256 disk mount disk /mnt fsstress -d /mnt -l 0 -n 1000 -p 1

The size must be smaller than or equal to EXT4BLOCKSPERGROUP. Therefore, "start + size <= ac->acoex.felogical" may occur when the size is truncated. So start should be the start position of the group where acoex.felogical is located after alignment. In addition, when the value of felogical or EXT4BLOCKSPERGROUP is very large, the value calculated by startoff is more accurate.