bcachefs: Fix kmalloc bug in __snapshot_t_mut

When allocating too huge a snapshot table, we should fail gracefully
in __snapshot_t_mut() instead of fail in kmalloc().

Reported-by: syzbot+770e99b65e26fa023ab1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=770e99b65e26fa023ab1
Tested-by: syzbot+770e99b65e26fa023ab1@syzkaller.appspotmail.com
Signed-off-by: Pei Li <peili.dev@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/snapshot.c b/fs/bcachefs/snapshot.c
index 4ef98e696673fd8917a990eb5961d7fe976b15ea..24023d6a9698bf977f87c14aa8a2bec60177f990 100644 (file)
--- a/fs/bcachefs/snapshot.c
+++ b/fs/bcachefs/snapshot.c
@@ -168,6 +168,9 @@ static noinline struct snapshot_t *__snapshot_t_mut(struct bch_fs *c, u32 id)
        size_t new_bytes = kmalloc_size_roundup(struct_size(new, s, idx + 1));
        size_t new_size = (new_bytes - sizeof(*new)) / sizeof(new->s[0]);
 
+       if (unlikely(new_bytes > INT_MAX))
+               return NULL;
+
        new = kvzalloc(new_bytes, GFP_KERNEL);
        if (!new)
                return NULL;