Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp6956146rwi;
        Mon, 24 Oct 2022 08:07:02 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6zY5D3bCkrx1dtTZi/Drq/O69qIwtf3iPGVMo5Dq6nkkMjYHuMEpqSbix+RF/V/iGQulHy
X-Received: by 2002:a17:907:2e0d:b0:78e:314:9d88 with SMTP id ig13-20020a1709072e0d00b0078e03149d88mr28321027ejc.54.1666624022554;
        Mon, 24 Oct 2022 08:07:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666624022; cv=none;
        d=google.com; s=arc-20160816;
        b=tJJLRQDSAL7DzM13lATTNR3eixLBdtau4oaJ5tciHN0uiuc7helY+bk8M5r7i/I8r+
         5L0VYX4RJCVVEGHpTsLaQgRINVpwkDot7u2ZwGEpbkG9N4WpRlZeQCV2+Ng0GPSqPNUp
         bXMc3SmJ6z2j2ZsrEKvXEibYxiShBRtiQSemEbG4UPfyJvlmaXrMahiihzJIrCstO+Np
         nxylrmDD224xan8V5v46XZyfm+BgdmWBt+gWEWNDDZVAcRCTC5rhX05Y1sqgEOL3DpCR
         jLUFsyQNNKdKU4DZP169q4fOP/17QhKIJ8JyB99t9d+SWkb7fk5BV/WBfHukiNHkKgTB
         lGdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=1+3yI0t4wue9/4FrD6WxunFEm2s1b0lM2p4tcx7q5cU=;
        b=FAERJTmzadcb3lBC02EuDDQqrSfBdACDRVrEs1kw6/7tM1XdfvVhXVAkp/Os5NlEj7
         mHSDeasiJShrWE6Htq/5W+I+HM/b0tZLRVcXGg9/3Wuwh8buMjjGs2ZKGApwASu6jh8e
         Xoe7KOubMaur+EzYutFWILhL0gVaX7LkUEN8VWLUKIWxG1hv1IU21+77HYdUuL08XZ45
         wLXb11k6sMui+hN5QbQykw2Yh5olXJpMlBZIeXWMoUhoS+L7tBnj8/mO45HzPJVCVM/+
         SB5NBWo5LXTmJo460ziNf4BJF96HBBHC/JQb72psBSY6F3eUm9vY7Nt2x8oLJEvds8Xe
         b7zg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GPlRSBjy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id l11-20020a056402254b00b0045902845795si30671183edb.557.2022.10.24.08.06.36;
        Mon, 24 Oct 2022 08:07:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GPlRSBjy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235653AbiJXOVg (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Mon, 24 Oct 2022 10:21:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55784 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237124AbiJXOP5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Oct 2022 10:15:57 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B87FD78214;
        Mon, 24 Oct 2022 05:55:29 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 66EFA61278;
        Mon, 24 Oct 2022 12:55:07 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 799A6C433C1;
        Mon, 24 Oct 2022 12:55:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666616106;
        bh=dNCuxLTTNKFz5VDNGJB5PQxnQFbJ48RYQ3+HDlVGbtg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GPlRSBjyhXIot7ea5Q0oYoBQymIIOFmd/9TYKRcj2RbRzS4z4ttHXldnwHQ5X14k6
         BmiY4/3XQ+1y9BCnGBvC7bu56/a7hZ9ySRSCBNuSv0a4WvR0FBpE44NaoDC1jL5qrC
         BuP6oZ5JcUVwWqdH1ylcb4AcnHRX+pLB69TkDpqY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com,
        Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 504/530] ext2: Use kvmalloc() for group descriptor array
Date:   Mon, 24 Oct 2022 13:34:08 +0200
Message-Id: <20221024113107.844012970@linuxfoundation.org>
X-Mailer: git-send-email 2.38.1
In-Reply-To: <20221024113044.976326639@linuxfoundation.org>
References: <20221024113044.976326639@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Jan Kara <jack@suse.cz>

[ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ]

Array of group descriptor block buffers can get rather large. In theory
in can reach 1MB for perfectly valid filesystem and even more for
maliciously crafted ones. Use kvmalloc() to allocate the array to avoid
straining memory allocator with large order allocations unnecessarily.

Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ext2/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index fd855574ef09..02d82f8fe85d 100644
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb)
 	db_count = sbi->s_gdb_count;
 	for (i = 0; i < db_count; i++)
 		brelse(sbi->s_group_desc[i]);
-	kfree(sbi->s_group_desc);
+	kvfree(sbi->s_group_desc);
 	kfree(sbi->s_debts);
 	percpu_counter_destroy(&sbi->s_freeblocks_counter);
 	percpu_counter_destroy(&sbi->s_freeinodes_counter);
@@ -1080,7 +1080,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	}
 	db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
 		   EXT2_DESC_PER_BLOCK(sb);
-	sbi->s_group_desc = kmalloc_array(db_count,
+	sbi->s_group_desc = kvmalloc_array(db_count,
 					   sizeof(struct buffer_head *),
 					   GFP_KERNEL);
 	if (sbi->s_group_desc == NULL) {
@@ -1206,7 +1206,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
 	for (i = 0; i < db_count; i++)
 		brelse(sbi->s_group_desc[i]);
 failed_mount_group_desc:
-	kfree(sbi->s_group_desc);
+	kvfree(sbi->s_group_desc);
 	kfree(sbi->s_debts);
 failed_mount:
 	brelse(bh);
-- 
2.35.1