bcachefs: Fix kmalloc bug in __snapshot_t_mut

When allocating too huge a snapshot table, we should fail gracefully in __snapshot_t_mut() instead of fail in kmalloc(). Reported-by: syzbot+770e99b65e26fa023ab1@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=770e99b65e26fa023ab1 Tested-by: syzbot+770e99b65e26fa023ab1@syzkaller.appspotmail.com Signed-off-by: Pei Li <peili.dev@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
author: Pei Li <peili.dev@gmail.com> 2024-06-26 02:39:56 +0200
committer: Kent Overstreet <kent.overstreet@linux.dev> 2024-06-26 02:51:14 +0200
commit: 64cd7de998f393e73981e2aa4ee13e4e887f01ea (patch)
tree: 1552c78f0e8f48e3851db9440f6818160888a996
parent: bcachefs: Discard, invalidate workers are now per device (diff)
download: linux-64cd7de998f393e73981e2aa4ee13e4e887f01ea.tar.xz
linux-64cd7de998f393e73981e2aa4ee13e4e887f01ea.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/bcachefs/snapshot.c b/fs/bcachefs/snapshot.c
index 4ef98e696673..24023d6a9698 100644
--- a/fs/bcachefs/snapshot.c
+++ b/fs/bcachefs/snapshot.c
@@ -168,6 +168,9 @@ static noinline struct snapshot_t *__snapshot_t_mut(struct bch_fs *c, u32 id)
 	size_t new_bytes = kmalloc_size_roundup(struct_size(new, s, idx + 1));
 	size_t new_size = (new_bytes - sizeof(*new)) / sizeof(new->s[0]);
 
+	if (unlikely(new_bytes > INT_MAX))
+		return NULL;
+
 	new = kvzalloc(new_bytes, GFP_KERNEL);
 	if (!new)
 		return NULL;
author	Pei Li <peili.dev@gmail.com>	2024-06-26 02:39:56 +0200
committer	Kent Overstreet <kent.overstreet@linux.dev>	2024-06-26 02:51:14 +0200
commit	64cd7de998f393e73981e2aa4ee13e4e887f01ea (patch)
tree	1552c78f0e8f48e3851db9440f6818160888a996
parent	bcachefs: Discard, invalidate workers are now per device (diff)
download	linux-64cd7de998f393e73981e2aa4ee13e4e887f01ea.tar.xz linux-64cd7de998f393e73981e2aa4ee13e4e887f01ea.zip