In the Linux kernel, the following vulnerability has been resolved:

ext4: fix BUG in ext4mbnewinodepa() due to overflow

When we calculate the end position of ext4freeextent, this position may be exactly where ext4lblkt (i.e. uint) overflows. For example, if acgex.felogical is 4294965248 and acoriggoallen is 2048, then the computed end is 0x100000000, which is 0. If ac->acoex.felogical is not the first case of adjusting the best extent, that is, newbexend > 0, the following BUGON will be triggered:

========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfsio Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4mbnewinodepa+0xc5/0x430 Call Trace: <TASK> ext4mbusebestfound+0x203/0x2f0 ext4mbtrybestfound+0x163/0x240 ext4mbregularallocator+0x158/0x1550 ext4mbnewblocks+0x86a/0xe10 ext4extmapblocks+0xb0c/0x13a0 ext4mapblocks+0x2cd/0x8f0 ext4iomapbegin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomapdiorw+0x243/0xcb0

iomapdiorw+0x16/0x80

A simple reproducer demonstrating the problem:

mkfs.ext4 -F /dev/sda -b 4096 100M
mount /dev/sda /tmp/test
fallocate -l1M /tmp/test/tmp
fallocate -l10M /tmp/test/file
fallocate -i -o 1M -l16777203M /tmp/test/file
fsstress -d /tmp/test -l 0 -n 100000 -p 8 &
sleep 10 && killall -9 fsstress
rm -f /tmp/test/tmp
xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192"

We simply refactor the logic for adjusting the best extent by adding a temporary ext4freeextent ex and use extentlogicalend() to avoid overflow, which also simplifies the code.