There is case that s_first_data_block is not 0 and block nr is smaller than
s_first_data_block when calculating group bitmap during allocation. This
underflow make index exceed es->s_groups_count in ext4_get_group_info()
and trigger the BUG_ON.
Fix it with protection of underflow.
Fixes: 72b64b594081ef ("ext4 uninline ext4_get_group_no_and_offset()")
Link: https://syzkaller.appspot.com/bug?id=79d5768e9bfe362911ac1a5057a36fc6b5c30002
Reported-by: syzbot+6be2b977c89f79b6b153@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Jun Nie <jun.nie@xxxxxxxxxx>
---
fs/ext4/balloc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index 8ff4b9192a9f..177ef6bd635a 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -56,7 +56,8 @@ void ext4_get_group_no_and_offset(struct super_block *sb, ext4_fsblk_t blocknr,
struct ext4_super_block *es = EXT4_SB(sb)->s_es;
ext4_grpblk_t offset;
- blocknr = blocknr - le32_to_cpu(es->s_first_data_block);
+ blocknr = blocknr > le32_to_cpu(es->s_first_data_block) ?
+ blocknr - le32_to_cpu(es->s_first_data_block) : 0;
offset = do_div(blocknr, EXT4_BLOCKS_PER_GROUP(sb)) >>
EXT4_SB(sb)->s_cluster_bits;
if (offsetp)
--
2.34.1
