From: Kent Overstreet <kent.overstreet@gmail.com>
Date: Thu, 10 Jun 2021 17:21:39 +0000 (-0400)
Subject: bcachefs: Fix a buffer overrun
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=74cc1abdbf50fcdaedf4bcf9a800c575ec44e17a;p=linux.git

bcachefs: Fix a buffer overrun

In make_extent_indirect(), we were allocating too small of a buffer for
the new indirect extent.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
---

diff --git a/fs/bcachefs/reflink.c b/fs/bcachefs/reflink.c
index a420729288d42..6aa37726341d0 100644
--- a/fs/bcachefs/reflink.c
+++ b/fs/bcachefs/reflink.c
@@ -138,7 +138,7 @@ static int bch2_make_extent_indirect(struct btree_trans *trans,
 	/* rewind iter to start of hole, if necessary: */
 	bch2_btree_iter_set_pos(reflink_iter, bkey_start_pos(k.k));
 
-	r_v = bch2_trans_kmalloc(trans, sizeof(__le64) + bkey_val_bytes(&orig->k));
+	r_v = bch2_trans_kmalloc(trans, sizeof(__le64) + bkey_bytes(&orig->k));
 	ret = PTR_ERR_OR_ZERO(r_v);
 	if (ret)
 		goto err;
@@ -159,12 +159,6 @@ static int bch2_make_extent_indirect(struct btree_trans *trans,
 	if (ret)
 		goto err;
 
-	r_p = bch2_trans_kmalloc(trans, sizeof(*r_p));
-	if (IS_ERR(r_p)) {
-		ret = PTR_ERR(r_p);
-		goto err;
-	}
-
 	orig->k.type = KEY_TYPE_reflink_p;
 	r_p = bkey_i_to_reflink_p(orig);
 	set_bkey_val_bytes(&r_p->k, sizeof(r_p->v));