Looks like bfp has a set of macro suitable for such cases: #define BITS_PER_BYTE_MASKED(bits) ((bits) & BITS_PER_BYTE_MASK) #define BITS_ROUNDDOWN_BYTES(bits) ((bits) >> 3) #define BITS_ROUNDUP_BYTES(bits) \ (BITS_ROUNDDOWN_BYTES(bits) + !!BITS_PER_BYTE_MASKED(bits)) May be it makes sense to move them to a generic header and to use here? -- Alexey Khoroshilov On 26.03.2022 14:40, Fedor Pchelkin wrote: > If count argument in copy_fd_bitmaps() is not a multiple of > BITS_PER_BYTE, then one byte is lost and is not used in further > manipulations with cpy value in memcpy() and memset() > causing a leak. The leak was introduced with close_range() call > using CLOSE_RANGE_UNSHARE flag. > > The patch suggests implementing an indicator (named add_byte) > of count being multiple of BITS_PER_BYTE and adding it to the > cpy value. > > Found by Syzkaller (https://github.com/google/syzkaller). > > Signed-off-by: Fedor Pchelkin <aissur0002@xxxxxxxxx> > Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx> > --- > fs/file.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/fs/file.c b/fs/file.c > index 3ef1479df203..3c64a6423604 100644 > --- a/fs/file.c > +++ b/fs/file.c > @@ -56,10 +56,8 @@ static void copy_fd_bitmaps(struct fdtable *nfdt, struct fdtable *ofdt, > { > unsigned int cpy, set; > unsigned int add_byte = 0; > - > if (count % BITS_PER_BYTE != 0) > add_byte = 1; > - > cpy = count / BITS_PER_BYTE + add_byte; > set = (nfdt->max_fds - count) / BITS_PER_BYTE; > memcpy(nfdt->open_fds, ofdt->open_fds, cpy); >
