diff options
author | Tao Huang <huangtao@rock-chips.com> | 2018-02-23 10:42:56 +0800 |
---|---|---|
committer | Tao Huang <huangtao@rock-chips.com> | 2018-02-23 11:47:45 +0800 |
commit | 921df26c80f0be8a102298bf413dd572d98dc4aa (patch) | |
tree | ce56d126907b5d3995d512e3d0245301c8e0babf /fs | |
parent | bc6e99f24320fd3e323996756970b848be0f3af3 (diff) |
f2fs: fix out-of-bounds read in update_free_nid_bitmap
test_bit will access with unsigned long, which cause this bug.
Workaround by enlarge free_nid_bitmap.
BUG: KASAN: slab-out-of-bounds in update_free_nid_bitmap+0x98/0x16c
Read of size 8 at addr ffffffc06275c9ff by task init/195
CPU: 3 PID: 195 Comm: init Not tainted 4.4.114 #55
Hardware name: Rockchip rk3326 evb board (DT)
Call trace:
dump_backtrace+0x0/0x244
show_stack+0x14/0x1c
dump_stack+0xa4/0xcc
print_address_description+0xa4/0x308
kasan_report+0x258/0x29c
__asan_load8+0x78/0x80
update_free_nid_bitmap+0x98/0x16c
build_node_manager+0x884/0x950
f2fs_fill_super+0x14bc/0x1ca8
mount_bdev+0x174/0x208
f2fs_mount+0x14/0x1c
mount_fs+0xbc/0x1b0
vfs_kern_mount+0xbc/0x1c8
do_mount+0xcf0/0xe68
SyS_mount+0x94/0xe0
el0_svc_naked+0x24/0x28
Change-Id: I9167447ded0a8c2da1b80cdc671615c9108c02be
Signed-off-by: Tao Huang <huangtao@rock-chips.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/f2fs/node.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/f2fs/node.c b/fs/f2fs/node.c index 964c99655942..53ee675c5c32 100644 --- a/fs/f2fs/node.c +++ b/fs/f2fs/node.c @@ -2731,7 +2731,8 @@ static int init_free_nid_cache(struct f2fs_sb_info *sbi) struct f2fs_nm_info *nm_i = NM_I(sbi); nm_i->free_nid_bitmap = kvzalloc(nm_i->nat_blocks * - NAT_ENTRY_BITMAP_SIZE, GFP_KERNEL); + NAT_ENTRY_BITMAP_SIZE + + sizeof(unsigned long), GFP_KERNEL); if (!nm_i->free_nid_bitmap) return -ENOMEM; |