From patchwork Mon Oct 24 11:34:08 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 9505
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp481521wru;
        Mon, 24 Oct 2022 07:23:17 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM48KYOyTuPXoK1RkP9qjzlCf3+uz1gcjpPzSz3ekZ0+kLp27j9vaYqIchQ3dP78NofGewkE
X-Received: by 2002:a05:6402:27d4:b0:45d:a69e:336d with SMTP id
 c20-20020a05640227d400b0045da69e336dmr30733857ede.298.1666621396798;
        Mon, 24 Oct 2022 07:23:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666621396; cv=none;
        d=google.com; s=arc-20160816;
        b=SnA4VamP6IqB2ZCrUAmc8lJ/7bhTDTqTud7sVr+zeG2N40u5jchoz2rEuqDOLMEWdL
         d9sANLV5pYuwiGGjYTEfcWCPZl6ofbB+TMONqAy/QkrhdZcYl7GSa/u0yOUZ9lC9keRO
         zQ2c/Uxf4NYLoxnpqNwBwX7IN2QdPJlrpXmZcBvbBYv3E8IAoGM62DkKUyZ+7kx2j+g9
         7q2OWTcRemcpTOL+soNvNZeBG3FEU3GteizGaIwL4K0/2Zo1Ld3ohE751ScnFYPKxEgj
         +sG+2fH+jxJBFvdzK1QQyS7eGk8yEoHC+7E+MRL6BsRRs5OZQXbnliDKzDIAfk0ymFY+
         FI0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=1+3yI0t4wue9/4FrD6WxunFEm2s1b0lM2p4tcx7q5cU=;
        b=FAERJTmzadcb3lBC02EuDDQqrSfBdACDRVrEs1kw6/7tM1XdfvVhXVAkp/Os5NlEj7
         mHSDeasiJShrWE6Htq/5W+I+HM/b0tZLRVcXGg9/3Wuwh8buMjjGs2ZKGApwASu6jh8e
         Xoe7KOubMaur+EzYutFWILhL0gVaX7LkUEN8VWLUKIWxG1hv1IU21+77HYdUuL08XZ45
         wLXb11k6sMui+hN5QbQykw2Yh5olXJpMlBZIeXWMoUhoS+L7tBnj8/mO45HzPJVCVM/+
         SB5NBWo5LXTmJo460ziNf4BJF96HBBHC/JQb72psBSY6F3eUm9vY7Nt2x8oLJEvds8Xe
         b7zg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=GPlRSBjy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 m10-20020a50cc0a000000b00458d94f1a45si24437840edi.413.2022.10.24.07.22.51;
        Mon, 24 Oct 2022 07:23:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=GPlRSBjy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235653AbiJXOVg (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
        Mon, 24 Oct 2022 10:21:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55784 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237124AbiJXOP5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Oct 2022 10:15:57 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B87FD78214;
        Mon, 24 Oct 2022 05:55:29 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 66EFA61278;
        Mon, 24 Oct 2022 12:55:07 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 799A6C433C1;
        Mon, 24 Oct 2022 12:55:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666616106;
        bh=dNCuxLTTNKFz5VDNGJB5PQxnQFbJ48RYQ3+HDlVGbtg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GPlRSBjyhXIot7ea5Q0oYoBQymIIOFmd/9TYKRcj2RbRzS4z4ttHXldnwHQ5X14k6
         BmiY4/3XQ+1y9BCnGBvC7bu56/a7hZ9ySRSCBNuSv0a4WvR0FBpE44NaoDC1jL5qrC
         BuP6oZ5JcUVwWqdH1ylcb4AcnHRX+pLB69TkDpqY=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com,
        Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 504/530] ext2: Use kvmalloc() for group descriptor array
Date: Mon, 24 Oct 2022 13:34:08 +0200
Message-Id: <20221024113107.844012970@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221024113044.976326639@linuxfoundation.org>
References: <20221024113044.976326639@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747579197835636909?=
X-GMAIL-MSGID: =?utf-8?q?1747579197835636909?=

From: Jan Kara <jack@suse.cz>

[ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ]

Array of group descriptor block buffers can get rather large. In theory
in can reach 1MB for perfectly valid filesystem and even more for
maliciously crafted ones. Use kvmalloc() to allocate the array to avoid
straining memory allocator with large order allocations unnecessarily.

Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ext2/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index fd855574ef09..02d82f8fe85d 100644
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb)
 	db_count = sbi->s_gdb_count;
 	for (i = 0; i < db_count; i++)
 		brelse(sbi->s_group_desc[i]);
-	kfree(sbi->s_group_desc);
+	kvfree(sbi->s_group_desc);
 	kfree(sbi->s_debts);
 	percpu_counter_destroy(&sbi->s_freeblocks_counter);
 	percpu_counter_destroy(&sbi->s_freeinodes_counter);
@@ -1080,7 +1080,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	}
 	db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
 		   EXT2_DESC_PER_BLOCK(sb);
-	sbi->s_group_desc = kmalloc_array(db_count,
+	sbi->s_group_desc = kvmalloc_array(db_count,
 					   sizeof(struct buffer_head *),
 					   GFP_KERNEL);
 	if (sbi->s_group_desc == NULL) {
@@ -1206,7 +1206,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	for (i = 0; i < db_count; i++)
 		brelse(sbi->s_group_desc[i]);
 failed_mount_group_desc:
-	kfree(sbi->s_group_desc);
+	kvfree(sbi->s_group_desc);
 	kfree(sbi->s_debts);
 failed_mount:
 	brelse(bh);