From nobody Thu Jul 2 12:54:05 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07780C433FE for ; Mon, 27 Dec 2021 18:09:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231526AbhL0SJZ (ORCPT ); Mon, 27 Dec 2021 13:09:25 -0500 Received: from smtp07.smtpout.orange.fr ([80.12.242.129]:60959 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229563AbhL0SJX (ORCPT ); Mon, 27 Dec 2021 13:09:23 -0500 Received: from pop-os.home ([86.243.171.122]) by smtp.orange.fr with ESMTPA id 1uQynxe1xMNzv1uQznw2pp; Mon, 27 Dec 2021 19:09:22 +0100 X-ME-Helo: pop-os.home X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Mon, 27 Dec 2021 19:09:22 +0100 X-ME-IP: 86.243.171.122 From: Christophe JAILLET To: hubcap@omnibond.com, martin@omnibond.com, viro@zeniv.linux.org.uk Cc: devel@lists.orangefs.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET Subject: [PATCH] orangefs: Fix the size of a memory allocation in orangefs_bufmap_alloc() Date: Mon, 27 Dec 2021 19:09:18 +0100 Message-Id: X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" 'buffer_index_array' really looks like a bitmap. So it should be allocated as such. When kzalloc is called, a number of bytes is expected, but a number of longs is passed instead. In get(), if not enough memory is allocated, un-allocated memory may be read or written. So use bitmap_zalloc() to safely allocate the correct memory size and avoid un-expected behavior. While at it, change the corresponding kfree() into bitmap_free() to keep the semantic. Fixes: ea2c9c9f6574 ("orangefs: bufmap rewrite") Signed-off-by: Christophe JAILLET --- If the above is correct, I guess that cc stable should be added. --- fs/orangefs/orangefs-bufmap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/orangefs/orangefs-bufmap.c b/fs/orangefs/orangefs-bufmap.c index 538e839590ef..b501dc07f922 100644 --- a/fs/orangefs/orangefs-bufmap.c +++ b/fs/orangefs/orangefs-bufmap.c @@ -176,7 +176,7 @@ orangefs_bufmap_free(struct orangefs_bufmap *bufmap) { kfree(bufmap->page_array); kfree(bufmap->desc_array); - kfree(bufmap->buffer_index_array); + bitmap_free(bufmap->buffer_index_array); kfree(bufmap); } =20 @@ -226,8 +226,7 @@ orangefs_bufmap_alloc(struct ORANGEFS_dev_map_desc *use= r_desc) bufmap->desc_size =3D user_desc->size; bufmap->desc_shift =3D ilog2(bufmap->desc_size); =20 - bufmap->buffer_index_array =3D - kzalloc(DIV_ROUND_UP(bufmap->desc_count, BITS_PER_LONG), GFP_KERNEL); + bufmap->buffer_index_array =3D bitmap_zalloc(bufmap->desc_count, GFP_KERN= EL); if (!bufmap->buffer_index_array) goto out_free_bufmap; =20 @@ -250,7 +249,7 @@ orangefs_bufmap_alloc(struct ORANGEFS_dev_map_desc *use= r_desc) out_free_desc_array: kfree(bufmap->desc_array); out_free_index_array: - kfree(bufmap->buffer_index_array); + bitmap_free(bufmap->buffer_index_array); out_free_bufmap: kfree(bufmap); out: --=20 2.32.0