Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp3920727rwi; Sat, 22 Oct 2022 02:14:02 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6Xm8pWwbzVRE+3FswmzKwk5352o1e7FuAXIcFtJ7MmaPSjPNDTOn5z1ybOzKlFWxcyxKZ1 X-Received: by 2002:a63:f206:0:b0:446:eb31:47e0 with SMTP id v6-20020a63f206000000b00446eb3147e0mr20163408pgh.491.1666430042121; Sat, 22 Oct 2022 02:14:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666430042; cv=none; d=google.com; s=arc-20160816; b=StKA5nwMbLYhBEd7bnUUaDuiypHo8bnWl4l9kU8UBULwxwhJJuROSdZIdEeqHCYPIx nu4EtOnH0OLTdurG8j2xqAjijqG/4X+2dY3CUMfSzzbAaxa/BBYEHi++Y0KZgZ887rqM HiTRW+D7IFK6IHjK7w/nI+bGllkqLQgrnBBDjGaL8K/xMiaFYQ7C2QUKXqDT20bIkzWn F8zW09UWOQIaSj9QGzUECguLZzNS+wLsuYlNJGMYznPZnjHVvLnhy1iARh9pg4E0HxJg pMPeLx30EY3+1AcXsU9uivc0wGKY0GEkzaaJyew70l1rQ1jCASpgAPVfKjlf8ajqlywF 9l5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=TV9yc9KtCRVANsKEA2EbDEYEXeAXEzwa1MbV+Yew/K0=; b=B3tFkzaVy/8cFXlrPkUumef+RbqLbE7CMjSLz3RTFTjXYDwtxNSYYHy1QxlKFt54oW jL0MsDqJh2xIOtMup1LGUsX5t9nBJ/JYoSDkXwdgja1NV+pUx/V2qh1mer5njybNOPt6 h7P6LeT0vW3L9lorJL26zkMiQEFRH1xiIiOPFNh9GZfeirs94iaM5UeVnKW4jSbnRbGk wKy10vbebleh94ru3xzUxkT1iNaYoF22/CUBRoHo3yI7TG3AC20v5tiYWs3S5sOJlE62 GFyn1Lq/8KBM7+CIz7KE78nBQOO75nXUI/xmIyVxdJXx4srJxGpMZb0cXe0mNbcWNolO qlqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EY7pgBMN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p3-20020a170902eac300b001867db1d29csi3728208pld.60.2022.10.22.02.13.50; Sat, 22 Oct 2022 02:14:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EY7pgBMN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234983AbiJVIwz (ORCPT + 99 others); Sat, 22 Oct 2022 04:52:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231131AbiJVIwL (ORCPT ); Sat, 22 Oct 2022 04:52:11 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 426402F1412; Sat, 22 Oct 2022 01:11:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0527560AC3; Sat, 22 Oct 2022 08:08:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7FEAC433C1; Sat, 22 Oct 2022 08:08:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666426118; bh=zlvOBi7kgkZoA/S+XkPCVsAvu3dMCz50xTOYDIk7Qeg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EY7pgBMNP6CWZqOwGyD8EbG771nR4SIf7I6qeJGlWhHEBf4JwyodwxprlYiL3Ty4C jzfbnGc8ECfjNiG3tG3CeYZODGshiZzCrAXPpHzVcD3zU+js/UTJne5r3Yu2PeejEi aSsbjSm7JbU3E2Iww2NHGCBLfiKIquDA9DMDJE4s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com, Jan Kara , Sasha Levin Subject: [PATCH 5.19 684/717] ext2: Use kvmalloc() for group descriptor array Date: Sat, 22 Oct 2022 09:29:23 +0200 Message-Id: <20221022072528.739528361@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jan Kara [ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ] Array of group descriptor block buffers can get rather large. In theory in can reach 1MB for perfectly valid filesystem and even more for maliciously crafted ones. Use kvmalloc() to allocate the array to avoid straining memory allocator with large order allocations unnecessarily. Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin --- fs/ext2/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/ext2/super.c b/fs/ext2/super.c index b3232845d0c4..f53ab39bb8e8 100644 --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb) db_count = sbi->s_gdb_count; for (i = 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); percpu_counter_destroy(&sbi->s_freeblocks_counter); percpu_counter_destroy(&sbi->s_freeinodes_counter); @@ -1093,7 +1093,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) } db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) / EXT2_DESC_PER_BLOCK(sb); - sbi->s_group_desc = kmalloc_array(db_count, + sbi->s_group_desc = kvmalloc_array(db_count, sizeof(struct buffer_head *), GFP_KERNEL); if (sbi->s_group_desc == NULL) { @@ -1219,7 +1219,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) for (i = 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); failed_mount_group_desc: - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); failed_mount: brelse(bh); -- 2.35.1