From patchwork Sat Oct 22 07:29:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 7742 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1110730wrr; Sat, 22 Oct 2022 01:54:03 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4LBfTzRuCrNm2CQT1qMcWGATML7BmMOfNmSjI3DQ4Uyd7G6HAq1bB741CE/aamx3+Q7xz1 X-Received: by 2002:a17:906:4fcb:b0:791:9a26:376f with SMTP id i11-20020a1709064fcb00b007919a26376fmr19245877ejw.431.1666428843449; Sat, 22 Oct 2022 01:54:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666428843; cv=none; d=google.com; s=arc-20160816; b=s7rQdX9A7EdveAptVsUB9wvKsnHLpSKTZA7y+1eldrf5m+4bVzNWI0ZZmZRv2ideMD Otp7TAEH4aDqP9CnqBGxuh31O1Hp5a1S605Ggylns1vCFzgOlPOrdLXIQFMgIhtd/QK3 0khKZPpY0ZpfZ1LSFEa3ab6EWhSQ8hiMcTOGPINaKDXYKKMHEgNVsGt8KbKLw75cAhAB uHREbG+Ld2LA2DoR9RV8belreN08nWmFAaATpu8TPGfsyUtk+aVJeRGxB+ACiON2WqQ7 CcxnBV6VJ/KtiC1e70Lp8CMgrYCu2IAPYGFB4rUQHzgaX62Jb6LCdT0ia7X4+6pxI7TW BQRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TV9yc9KtCRVANsKEA2EbDEYEXeAXEzwa1MbV+Yew/K0=; b=B3tFkzaVy/8cFXlrPkUumef+RbqLbE7CMjSLz3RTFTjXYDwtxNSYYHy1QxlKFt54oW jL0MsDqJh2xIOtMup1LGUsX5t9nBJ/JYoSDkXwdgja1NV+pUx/V2qh1mer5njybNOPt6 h7P6LeT0vW3L9lorJL26zkMiQEFRH1xiIiOPFNh9GZfeirs94iaM5UeVnKW4jSbnRbGk wKy10vbebleh94ru3xzUxkT1iNaYoF22/CUBRoHo3yI7TG3AC20v5tiYWs3S5sOJlE62 GFyn1Lq/8KBM7+CIz7KE78nBQOO75nXUI/xmIyVxdJXx4srJxGpMZb0cXe0mNbcWNolO qlqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EY7pgBMN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id wu13-20020a170906eecd00b00780636887fesi25446513ejb.797.2022.10.22.01.53.39; Sat, 22 Oct 2022 01:54:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EY7pgBMN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234983AbiJVIwz (ORCPT + 99 others); Sat, 22 Oct 2022 04:52:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231131AbiJVIwL (ORCPT ); Sat, 22 Oct 2022 04:52:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 426402F1412; Sat, 22 Oct 2022 01:11:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0527560AC3; Sat, 22 Oct 2022 08:08:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7FEAC433C1; Sat, 22 Oct 2022 08:08:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666426118; bh=zlvOBi7kgkZoA/S+XkPCVsAvu3dMCz50xTOYDIk7Qeg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EY7pgBMNP6CWZqOwGyD8EbG771nR4SIf7I6qeJGlWhHEBf4JwyodwxprlYiL3Ty4C jzfbnGc8ECfjNiG3tG3CeYZODGshiZzCrAXPpHzVcD3zU+js/UTJne5r3Yu2PeejEi aSsbjSm7JbU3E2Iww2NHGCBLfiKIquDA9DMDJE4s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com, Jan Kara , Sasha Levin Subject: [PATCH 5.19 684/717] ext2: Use kvmalloc() for group descriptor array Date: Sat, 22 Oct 2022 09:29:23 +0200 Message-Id: <20221022072528.739528361@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747377290980566126?= X-GMAIL-MSGID: =?utf-8?q?1747377290980566126?= From: Jan Kara [ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ] Array of group descriptor block buffers can get rather large. In theory in can reach 1MB for perfectly valid filesystem and even more for maliciously crafted ones. Use kvmalloc() to allocate the array to avoid straining memory allocator with large order allocations unnecessarily. Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin --- fs/ext2/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/ext2/super.c b/fs/ext2/super.c index b3232845d0c4..f53ab39bb8e8 100644 --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb) db_count = sbi->s_gdb_count; for (i = 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); percpu_counter_destroy(&sbi->s_freeblocks_counter); percpu_counter_destroy(&sbi->s_freeinodes_counter); @@ -1093,7 +1093,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) } db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) / EXT2_DESC_PER_BLOCK(sb); - sbi->s_group_desc = kmalloc_array(db_count, + sbi->s_group_desc = kvmalloc_array(db_count, sizeof(struct buffer_head *), GFP_KERNEL); if (sbi->s_group_desc == NULL) { @@ -1219,7 +1219,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) for (i = 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); failed_mount_group_desc: - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); failed_mount: brelse(bh);