Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp910384rwi; Wed, 19 Oct 2022 04:38:32 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7B4nH1kRgGtt2BK/fERX5JMpke74OTxbhC3ND8Tz2bppc5+LfpL2xP3ugiXLm9M8C3MAld X-Received: by 2002:a17:902:868b:b0:185:be8:b316 with SMTP id g11-20020a170902868b00b001850be8b316mr7856160plo.157.1666179512582; Wed, 19 Oct 2022 04:38:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666179512; cv=none; d=google.com; s=arc-20160816; b=YtekK1K3wv/pXQRPVfUgdxaPW7U7nsXFs9y4DzkFG3F5gx7mQpLebt6RqPD1KIGQfd itYEwNX0K6EN5fJuwlAEePwIsnpuMPHiGFyXAWPwWsTGlC55xdNChuSh/kIxiwPRhJOj gIJnoUfz5ATe1cN0JpL5ZxBjhIAfvalpLuh7KiwNg8cMjZ/apSvPILHcgDQx7Pa+Rrn+ vSkG7BQGBcx6QXmoyFmXxo97By0my0U0zQ9ykywkW43hr6yOAf1detRrjcvasccQZADs lhODTSnig7l9Yk8KdBmwi7rYLdjij29cfvuAmnQESDj1e7cQWf1OA1h+4NCFlOh8ZhQ2 ez7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=a+7VDpb9Pgmc5mWLUeC7I+y0BECPYDdeybO9GPHW0cE=; b=mYNERsSJd+j0rs/rdFZrUK2YurvAkzn/5VYmCO7JsiJ+UYMwYIj5I1bZOtYIM4QQMC B6a4puX3opKx7aIpYVrpvmUQKLeMkWoien//5SwP6STxH24HrcweYkV7mPNZmfRpGjWw mX0LgJIfCYE593XG4C38mmQbteaT8IbQUDjiFf2FmNlOoIWDxBIXdLxe+7nIQQotND5A 6tuxSONbqYRSaeXNo+/cTuI6GTmNFSPRtY6Z2RZvC7m6yaBRgJuHSWmgo1AgIj+rTxh7 UxS4Y2rXsFE0/u3v+5OCcrmhivFfyGmBzW/XcbGEJcZ2Y6X93nxVfH/sW/Rs/XiHJdnd 2P0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wvti6MUY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b10-20020a170902d88a00b00174e6274906si16602841plz.236.2022.10.19.04.38.13; Wed, 19 Oct 2022 04:38:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=wvti6MUY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232129AbiJSKlM (ORCPT + 99 others); Wed, 19 Oct 2022 06:41:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232099AbiJSKkN (ORCPT ); Wed, 19 Oct 2022 06:40:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF7A76B8ED; Wed, 19 Oct 2022 03:18:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CA8D5B824E1; Wed, 19 Oct 2022 09:14:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4AC03C433B5; Wed, 19 Oct 2022 09:14:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666170892; bh=OxUnyWBNF9EL9wIWC7v/GzN4GWanOyfXdgikF9wmzdI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wvti6MUYHhKeYgk7IJVI5kMMeVaJdbxgbkxpf44D47ijnINwZ/7uRcQJPs0uqZXg4 wgT4cKdkiP9byPsraAmetbRp0ItRqYcP6JxJxvgbaQlPb0x9fNtkn8R3IygY2scbZv VYf/v4PYqn3BUKDK5YCA4hPPsB2/x5QHkYSx1Ka8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com, Jan Kara , Sasha Levin Subject: [PATCH 6.0 827/862] ext2: Use kvmalloc() for group descriptor array Date: Wed, 19 Oct 2022 10:35:14 +0200 Message-Id: <20221019083326.446951244@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221019083249.951566199@linuxfoundation.org> References: <20221019083249.951566199@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Kara [ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ] Array of group descriptor block buffers can get rather large. In theory in can reach 1MB for perfectly valid filesystem and even more for maliciously crafted ones. Use kvmalloc() to allocate the array to avoid straining memory allocator with large order allocations unnecessarily. Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin --- fs/ext2/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/ext2/super.c b/fs/ext2/super.c index afb31af9302d..03f2af98b1b4 100644 --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb) db_count = sbi->s_gdb_count; for (i = 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); percpu_counter_destroy(&sbi->s_freeblocks_counter); percpu_counter_destroy(&sbi->s_freeinodes_counter); @@ -1092,7 +1092,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) } db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) / EXT2_DESC_PER_BLOCK(sb); - sbi->s_group_desc = kmalloc_array(db_count, + sbi->s_group_desc = kvmalloc_array(db_count, sizeof(struct buffer_head *), GFP_KERNEL); if (sbi->s_group_desc == NULL) { @@ -1218,7 +1218,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) for (i = 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); failed_mount_group_desc: - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); failed_mount: brelse(bh); -- 2.35.1