Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp3920727rwi;
        Sat, 22 Oct 2022 02:14:02 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6Xm8pWwbzVRE+3FswmzKwk5352o1e7FuAXIcFtJ7MmaPSjPNDTOn5z1ybOzKlFWxcyxKZ1
X-Received: by 2002:a63:f206:0:b0:446:eb31:47e0 with SMTP id v6-20020a63f206000000b00446eb3147e0mr20163408pgh.491.1666430042121;
        Sat, 22 Oct 2022 02:14:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666430042; cv=none;
        d=google.com; s=arc-20160816;
        b=StKA5nwMbLYhBEd7bnUUaDuiypHo8bnWl4l9kU8UBULwxwhJJuROSdZIdEeqHCYPIx
         nu4EtOnH0OLTdurG8j2xqAjijqG/4X+2dY3CUMfSzzbAaxa/BBYEHi++Y0KZgZ887rqM
         HiTRW+D7IFK6IHjK7w/nI+bGllkqLQgrnBBDjGaL8K/xMiaFYQ7C2QUKXqDT20bIkzWn
         F8zW09UWOQIaSj9QGzUECguLZzNS+wLsuYlNJGMYznPZnjHVvLnhy1iARh9pg4E0HxJg
         pMPeLx30EY3+1AcXsU9uivc0wGKY0GEkzaaJyew70l1rQ1jCASpgAPVfKjlf8ajqlywF
         9l5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=TV9yc9KtCRVANsKEA2EbDEYEXeAXEzwa1MbV+Yew/K0=;
        b=B3tFkzaVy/8cFXlrPkUumef+RbqLbE7CMjSLz3RTFTjXYDwtxNSYYHy1QxlKFt54oW
         jL0MsDqJh2xIOtMup1LGUsX5t9nBJ/JYoSDkXwdgja1NV+pUx/V2qh1mer5njybNOPt6
         h7P6LeT0vW3L9lorJL26zkMiQEFRH1xiIiOPFNh9GZfeirs94iaM5UeVnKW4jSbnRbGk
         wKy10vbebleh94ru3xzUxkT1iNaYoF22/CUBRoHo3yI7TG3AC20v5tiYWs3S5sOJlE62
         GFyn1Lq/8KBM7+CIz7KE78nBQOO75nXUI/xmIyVxdJXx4srJxGpMZb0cXe0mNbcWNolO
         qlqw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EY7pgBMN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id p3-20020a170902eac300b001867db1d29csi3728208pld.60.2022.10.22.02.13.50;
        Sat, 22 Oct 2022 02:14:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EY7pgBMN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234983AbiJVIwz (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Sat, 22 Oct 2022 04:52:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47134 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231131AbiJVIwL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 22 Oct 2022 04:52:11 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 426402F1412;
        Sat, 22 Oct 2022 01:11:56 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 0527560AC3;
        Sat, 22 Oct 2022 08:08:39 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7FEAC433C1;
        Sat, 22 Oct 2022 08:08:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666426118;
        bh=zlvOBi7kgkZoA/S+XkPCVsAvu3dMCz50xTOYDIk7Qeg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=EY7pgBMNP6CWZqOwGyD8EbG771nR4SIf7I6qeJGlWhHEBf4JwyodwxprlYiL3Ty4C
         jzfbnGc8ECfjNiG3tG3CeYZODGshiZzCrAXPpHzVcD3zU+js/UTJne5r3Yu2PeejEi
         aSsbjSm7JbU3E2Iww2NHGCBLfiKIquDA9DMDJE4s=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com,
        Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.19 684/717] ext2: Use kvmalloc() for group descriptor array
Date:   Sat, 22 Oct 2022 09:29:23 +0200
Message-Id: <20221022072528.739528361@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221022072415.034382448@linuxfoundation.org>
References: <20221022072415.034382448@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jan Kara <jack@suse.cz>

[ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ]

Array of group descriptor block buffers can get rather large. In theory
in can reach 1MB for perfectly valid filesystem and even more for
maliciously crafted ones. Use kvmalloc() to allocate the array to avoid
straining memory allocator with large order allocations unnecessarily.

Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ext2/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index b3232845d0c4..f53ab39bb8e8 100644
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb)
 	db_count = sbi->s_gdb_count;
 	for (i = 0; i < db_count; i++)
 		brelse(sbi->s_group_desc[i]);
-	kfree(sbi->s_group_desc);
+	kvfree(sbi->s_group_desc);
 	kfree(sbi->s_debts);
 	percpu_counter_destroy(&sbi->s_freeblocks_counter);
 	percpu_counter_destroy(&sbi->s_freeinodes_counter);
@@ -1093,7 +1093,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	}
 	db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
 		   EXT2_DESC_PER_BLOCK(sb);
-	sbi->s_group_desc = kmalloc_array(db_count,
+	sbi->s_group_desc = kvmalloc_array(db_count,
 					   sizeof(struct buffer_head *),
 					   GFP_KERNEL);
 	if (sbi->s_group_desc == NULL) {
@@ -1219,7 +1219,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	for (i = 0; i < db_count; i++)
 		brelse(sbi->s_group_desc[i]);
 failed_mount_group_desc:
-	kfree(sbi->s_group_desc);
+	kvfree(sbi->s_group_desc);
 	kfree(sbi->s_debts);
 failed_mount:
 	brelse(bh);
-- 
2.35.1