From nobody Fri Oct 17 10:32:16 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C79EEC433FE for ; Wed, 19 Oct 2022 10:41:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232151AbiJSKlO (ORCPT ); Wed, 19 Oct 2022 06:41:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232099AbiJSKkN (ORCPT ); Wed, 19 Oct 2022 06:40:13 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF7A76B8ED; Wed, 19 Oct 2022 03:18:46 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id CA8D5B824E1; Wed, 19 Oct 2022 09:14:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4AC03C433B5; Wed, 19 Oct 2022 09:14:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666170892; bh=OxUnyWBNF9EL9wIWC7v/GzN4GWanOyfXdgikF9wmzdI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wvti6MUYHhKeYgk7IJVI5kMMeVaJdbxgbkxpf44D47ijnINwZ/7uRcQJPs0uqZXg4 wgT4cKdkiP9byPsraAmetbRp0ItRqYcP6JxJxvgbaQlPb0x9fNtkn8R3IygY2scbZv VYf/v4PYqn3BUKDK5YCA4hPPsB2/x5QHkYSx1Ka8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com, Jan Kara , Sasha Levin Subject: [PATCH 6.0 827/862] ext2: Use kvmalloc() for group descriptor array Date: Wed, 19 Oct 2022 10:35:14 +0200 Message-Id: <20221019083326.446951244@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221019083249.951566199@linuxfoundation.org> References: <20221019083249.951566199@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jan Kara [ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ] Array of group descriptor block buffers can get rather large. In theory in can reach 1MB for perfectly valid filesystem and even more for maliciously crafted ones. Use kvmalloc() to allocate the array to avoid straining memory allocator with large order allocations unnecessarily. Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin --- fs/ext2/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/ext2/super.c b/fs/ext2/super.c index afb31af9302d..03f2af98b1b4 100644 --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb) db_count =3D sbi->s_gdb_count; for (i =3D 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); percpu_counter_destroy(&sbi->s_freeblocks_counter); percpu_counter_destroy(&sbi->s_freeinodes_counter); @@ -1092,7 +1092,7 @@ static int ext2_fill_super(struct super_block *sb, vo= id *data, int silent) } db_count =3D (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) / EXT2_DESC_PER_BLOCK(sb); - sbi->s_group_desc =3D kmalloc_array(db_count, + sbi->s_group_desc =3D kvmalloc_array(db_count, sizeof(struct buffer_head *), GFP_KERNEL); if (sbi->s_group_desc =3D=3D NULL) { @@ -1218,7 +1218,7 @@ static int ext2_fill_super(struct super_block *sb, vo= id *data, int silent) for (i =3D 0; i < db_count; i++) brelse(sbi->s_group_desc[i]); failed_mount_group_desc: - kfree(sbi->s_group_desc); + kvfree(sbi->s_group_desc); kfree(sbi->s_debts); failed_mount: brelse(bh); --=20 2.35.1