f2fs: fix out-of-bounds read in update_free_nid_bitmap

test_bit will access with unsigned long, which cause this bug.
Workaround by enlarge free_nid_bitmap.

BUG: KASAN: slab-out-of-bounds in update_free_nid_bitmap+0x98/0x16c
Read of size 8 at addr ffffffc06275c9ff by task init/195

CPU: 3 PID: 195 Comm: init Not tainted 4.4.114 #55
Hardware name: Rockchip rk3326 evb board (DT)
Call trace:
 dump_backtrace+0x0/0x244
 show_stack+0x14/0x1c
 dump_stack+0xa4/0xcc
 print_address_description+0xa4/0x308
 kasan_report+0x258/0x29c
 __asan_load8+0x78/0x80
 update_free_nid_bitmap+0x98/0x16c
 build_node_manager+0x884/0x950
 f2fs_fill_super+0x14bc/0x1ca8
 mount_bdev+0x174/0x208
 f2fs_mount+0x14/0x1c
 mount_fs+0xbc/0x1b0
 vfs_kern_mount+0xbc/0x1c8
 do_mount+0xcf0/0xe68
 SyS_mount+0x94/0xe0
 el0_svc_naked+0x24/0x28

Change-Id: I9167447ded0a8c2da1b80cdc671615c9108c02be
Signed-off-by: Tao Huang <huangtao@rock-chips.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c
index 964c99655942..53ee675c5c32 100644
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -2731,7 +2731,8 @@ static int init_free_nid_cache(struct f2fs_sb_info *sbi)
 	struct f2fs_nm_info *nm_i = NM_I(sbi);
 
 	nm_i->free_nid_bitmap = kvzalloc(nm_i->nat_blocks *
-					NAT_ENTRY_BITMAP_SIZE, GFP_KERNEL);
+					NAT_ENTRY_BITMAP_SIZE +
+					sizeof(unsigned long), GFP_KERNEL);
 	if (!nm_i->free_nid_bitmap)
 		return -ENOMEM;