CVE-2022-50021

In the Linux kernel, the following vulnerability has been resolved:

ext4: block range must be validated before use in ext4mbclear_bb()

Block range to free is validated in ext4freeblocks() using ext4inodeblockvalid() and then it's passed to ext4mbclearbb(). However in some situations on bigalloc file system the range might be adjusted after the validation in ext4freeblocks() which can lead to troubles on corrupted file systems such as one found by syzkaller that resulted in the following BUG

kernel BUG at fs/ext4/ext4.h:3319! PREEMPT SMP NOPTI CPU: 28 PID: 4243 Comm: repro Kdump: loaded Not tainted 5.19.0-rc6+ #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1.fc35 04/01/2014 RIP: 0010:ext4freeblocks+0x95e/0xa90 Call Trace: <TASK> ? locktimerbase+0x61/0x80 ? __esremoveextent+0x5a/0x760 ? __modtimer+0x256/0x380 ? ext4indtruncateensurecredits+0x90/0x220 ext4clearblocks+0x107/0x1b0 ext4freedata+0x15b/0x170 ext4indtruncate+0x214/0x2c0 ? rawspinunlock+0x15/0x30 ? ext4discardpreallocations+0x15a/0x410 ? ext4journalcheck_start+0xe/0x90 ? __ext4journalstartsb+0x2f/0x110 ext4truncate+0x1b5/0x460 ? __ext4journalstart_sb+0x2f/0x110 ext4evictinode+0x2b4/0x6f0 evict+0xd0/0x1d0 ext4enablequotas+0x11f/0x1f0 ext4orphancleanup+0x3de/0x430 ? proccreateseqprivate+0x43/0x50 ext4fillsuper+0x295f/0x3ae0 ? snprintf+0x39/0x40 ? sgetfc+0x19c/0x330 ? ext4reconfigure+0x850/0x850 gettreebdev+0x16d/0x260 vfsgettree+0x25/0xb0 pathmount+0x431/0xa70 _x64sysmount+0xe2/0x120 dosyscall64+0x5b/0x80 ? douseraddrfault+0x1e2/0x670 ? excpagefault+0x70/0x170 entrySYSCALL64afterhwframe+0x46/0xb0 RIP: 0033:0x7fdf4e512ace

Fix it by making sure that the block range is properly validated before used every time it changes in ext4freeblocks() or ext4mbclear_bb().