Hello,
Yes, of course I object to it. I ignored this version of the patch being applied to the older Linux versions, but for the latest versions surely the version that I have authored should be applied instead. I have sent to Andrew Morton both the 4.20-rc1 and 4.19.2 versions of the patch. The 4.20 was applied (as "linux-next", I don't know why it is not in 4.20-rc4 yet), but 4.19.2 version was not applied yet, so here it is attached again (with the proper changelog etc). It applies to 4.19.5 cleanly as well, so please use this version (attached).
Kind regards, Tigran On Thu, 29 Nov 2018 at 14:29, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
4.19-stable review patch. If anyone has any objections, please let me know.
From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream.
syzbot is reporting too large memory allocation at bfs_fill_super() [1]. Since file system image is corrupted such that bfs_sb->s_start == 0, bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and printf().
[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e9...
Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-l... Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Reported-by: syzbot syzbot+71c6b5d68e91149fc8a4@syzkaller.appspotmail.com Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Tigran Aivazian aivazian.tigran@gmail.com Cc: Matthew Wilcox willy@infradead.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
fs/bfs/inode.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
--- a/fs/bfs/inode.c +++ b/fs/bfs/inode.c @@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b
s->s_magic = BFS_MAGIC;
if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) {
if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) ||le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) { printf("Superblock is corrupted\n"); goto out1; }@@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b sizeof(struct bfs_inode) + BFS_ROOT_INO - 1; imap_len = (info->si_lasti / 8) + 1;
info->si_imap = kzalloc(imap_len, GFP_KERNEL);if (!info->si_imap)
info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN);if (!info->si_imap) {printf("Cannot allocate %u bytes\n", imap_len); goto out1;} for (i = 0; i < BFS_ROOT_INO; i++) set_bit(i, info->si_imap);