Thank you. Please see comments below: On 14 June 2018 at 11:45, Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> wrote: > (Which patch did you mean? Hmm, I paste both patches instead of waiting for your answer.) I only meant the BFS patch. > commit 0c54bbdb89992eeff50866b64366a1a0cbd0e6fb > Author: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > Date: Sat May 26 14:15:41 2018 +1000 > > bfs: add sanity check at bfs_fill_super() > > syzbot is reporting too large memory allocation at bfs_fill_super() [1]. > Since file system image is corrupted such that bfs_sb->s_start == 0, > bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix this > by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and printf(). > > [1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96 > > Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@xxxxxxxxxxxxxxxxxxx > Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > Reported-by: syzbot <syzbot+71c6b5d68e91149fc8a4@xxxxxxxxxxxxxxxxxxxxxxxxx> > Reviewed-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Cc: Tigran Aivazian <aivazian.tigran@xxxxxxxxx> > Cc: Matthew Wilcox <willy@xxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx> > > diff --git a/fs/bfs/inode.c b/fs/bfs/inode.c > index 9a69392..d81c148 100644 > --- a/fs/bfs/inode.c > +++ b/fs/bfs/inode.c > @@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_block *s, void *data, int silent) > > s->s_magic = BFS_MAGIC; > > - if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) { > + if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) || > + le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) { > printf("Superblock is corrupted\n"); > goto out1; > } Yes, this is acceptable. > @@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_block *s, void *data, int silent) > sizeof(struct bfs_inode) > + BFS_ROOT_INO - 1; > imap_len = (info->si_lasti / 8) + 1; > - info->si_imap = kzalloc(imap_len, GFP_KERNEL); > - if (!info->si_imap) > + info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN); > + if (!info->si_imap) { > + printf("Cannot allocate %u bytes\n", imap_len); > goto out1; > + } This is unnecessary. As Andrew Morton pointed out, if people set panic_on_warn then they do really want a panic on allocation failure warnings. Please update the patch with just the above sanity check for s_start < BFS_BSIZE. Kind regards, Tigran
