ext2: Use kvmalloc() for group descriptor array

Array of group descriptor block buffers can get rather large. In theory
in can reach 1MB for perfectly valid filesystem and even more for
maliciously crafted ones. Use kvmalloc() to allocate the array to avoid
straining memory allocator with large order allocations unnecessarily.

Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>

diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index afb31af9302d74fe1411d1a7f7a2550fc9b7e4de..03f2af98b1b48b40a3efcd16506912d05ae54a07 100644 (file)
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb)
        db_count = sbi->s_gdb_count;
        for (i = 0; i < db_count; i++)
                brelse(sbi->s_group_desc[i]);
-       kfree(sbi->s_group_desc);
+       kvfree(sbi->s_group_desc);
        kfree(sbi->s_debts);
        percpu_counter_destroy(&sbi->s_freeblocks_counter);
        percpu_counter_destroy(&sbi->s_freeinodes_counter);
@@ -1092,7 +1092,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
        }
        db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
                   EXT2_DESC_PER_BLOCK(sb);
-       sbi->s_group_desc = kmalloc_array(db_count,
+       sbi->s_group_desc = kvmalloc_array(db_count,
                                           sizeof(struct buffer_head *),
                                           GFP_KERNEL);
        if (sbi->s_group_desc == NULL) {
@@ -1218,7 +1218,7 @@ failed_mount2:
        for (i = 0; i < db_count; i++)
                brelse(sbi->s_group_desc[i]);
 failed_mount_group_desc:
-       kfree(sbi->s_group_desc);
+       kvfree(sbi->s_group_desc);
        kfree(sbi->s_debts);
 failed_mount:
        brelse(bh);