Commit 64cd7de9 authored Jun 25, 2024 by Pei Li Committed by Kent Overstreet Jun 25, 2024

bcachefs: Fix kmalloc bug in __snapshot_t_mut



When allocating too huge a snapshot table, we should fail gracefully
in __snapshot_t_mut() instead of fail in kmalloc().

Reported-by:  <syzbot+770e99b65e26fa023ab1@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=770e99b65e26fa023ab1


Tested-by:  <syzbot+770e99b65e26fa023ab1@syzkaller.appspotmail.com>
Signed-off-by: Pei Li <peili.dev@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

parent 64ee1431

fs/bcachefs/snapshot.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -168,6 +168,9 @@ static noinline struct snapshot_t __snapshot_t_mut(struct bch_fs c, u32 id)
		size_t new_bytes = kmalloc_size_roundup(struct_size(new, s, idx + 1));
		size_t new_size = (new_bytes - sizeof(*new)) / sizeof(new->s[0]);

		if (unlikely(new_bytes > INT_MAX))
		return NULL;

		new = kvzalloc(new_bytes, GFP_KERNEL);
		if (!new)
		return NULL;