The following calculation of iomap->length on line 798 in z_erofs_iomap_begin_report() can yield 0: if (iomap->offset >= inode->i_size) iomap->length = length + map.m_la - offset; This triggers a WARN_ON in iomap_iter_done() (see line 34 of fs/iomap/iter.c). Hence, return error when this scenario is encountered. ============================================================ This was reported as a crash by syzbot under an issue about warning encountered in iomap_iter_done(), but unrelated to erofs. Hence, not adding issue hash in Reported-by line. C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000 Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02 Dashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6 Reported-by: syzbot@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Siddh Raman Pant <code@xxxxxxxx> --- fs/erofs/zmap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/erofs/zmap.c b/fs/erofs/zmap.c index 0bb66927e3d0..bad852983eb9 100644 --- a/fs/erofs/zmap.c +++ b/fs/erofs/zmap.c @@ -796,6 +796,9 @@ static int z_erofs_iomap_begin_report(struct inode *inode, loff_t offset, */ if (iomap->offset >= inode->i_size) iomap->length = length + map.m_la - offset; + + if (iomap->length == 0) + return -EINVAL; } iomap->flags = 0; return 0; -- 2.35.1
