syzbot creates a pipe and writes some data to it. It then creates a v9fs mount using the pipe as transport. The data in the pipe specifies an ACL of size 9 TB (9895604649984 bytes) for the root inode, causing kmalloc to fail. KMALLOC_MAX_SIZE is probably too loose of an upper bound for the size of an ACL, but I didn't see an existing limit for V9FS like in e.g. NFS: include/linux/nfsacl.h: >/* Maximum number of ACL entries over NFS */ >#define NFS_ACL_MAX_ENTRIES 1024 > >#define NFSACL_MAXWORDS (2*(2+3*NFS_ACL_MAX_ENTRIES)) >#define NFSACL_MAXPAGES ((2*(8+12*NFS_ACL_MAX_ENTRIES) + PAGE_SIZE-1) \ > >> PAGE_SHIFT) > >#define NFS_ACL_MAX_ENTRIES_INLINE (5) >#define NFS_ACL_INLINE_BUFSIZE ((2*(2+3*NFS_ACL_MAX_ENTRIES_INLINE)) << 2) #syz test --- fs/9p/acl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/9p/acl.c b/fs/9p/acl.c index eed551d8555f..1b9681d58f8d 100644 --- a/fs/9p/acl.c +++ b/fs/9p/acl.c @@ -28,6 +28,8 @@ static struct posix_acl *v9fs_fid_get_acl(struct p9_fid *fid, const char *name) return ERR_PTR(size); if (size == 0) return ERR_PTR(-ENODATA); + if (size > KMALLOC_MAX_SIZE) + return ERR_PTR(-ERANGE); value = kzalloc(size, GFP_NOFS); if (!value) -- 2.43.0
