Commit e7c7fbb9 authored by Jan Kara's avatar Jan Kara
Browse files

ext2: Use kvmalloc() for group descriptor array 



Array of group descriptor block buffers can get rather large. In theory
in can reach 1MB for perfectly valid filesystem and even more for
maliciously crafted ones. Use kvmalloc() to allocate the array to avoid
straining memory allocator with large order allocations unnecessarily.

Reported-by: default avatar <syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent d766f2d1

fs/ext2/super.c

+3 −3
Original line number Diff line number Diff line
@@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb) 
	db_count = sbi->s_gdb_count;

	for (i = 0; i < db_count; i++)

		brelse(sbi->s_group_desc[i]);

	kfree(sbi->s_group_desc);

	kvfree(sbi->s_group_desc);

	kfree(sbi->s_debts);

	percpu_counter_destroy(&sbi->s_freeblocks_counter);

	percpu_counter_destroy(&sbi->s_freeinodes_counter);
@@ -1092,7 +1092,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) 
	}

	db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /

		   EXT2_DESC_PER_BLOCK(sb);

	sbi->s_group_desc = kmalloc_array(db_count,

	sbi->s_group_desc = kvmalloc_array(db_count,

					   sizeof(struct buffer_head *),

					   GFP_KERNEL);

	if (sbi->s_group_desc == NULL) {
@@ -1218,7 +1218,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) 
	for (i = 0; i < db_count; i++)

		brelse(sbi->s_group_desc[i]);

failed_mount_group_desc:

	kfree(sbi->s_group_desc);

	kvfree(sbi->s_group_desc);

	kfree(sbi->s_debts);

failed_mount:

	brelse(bh);