Message ID | 20211124040818.2219374-1-yangerkun@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | hugetlbfs: avoid overflow in hugetlbfs_fallocate | expand |
On Wed, Nov 24, 2021 at 12:08:18PM +0800, yangerkun wrote: > start = offset >> hpage_shift; > - end = (offset + len + hpage_size - 1) >> hpage_shift; > + end = ((unsigned long long)offset + len + hpage_size - 1) > + >> hpage_shift; + end = DIV_ROUND_UP_ULL(offset + len, hpage_size);
On 2021/11/24 12:24, Matthew Wilcox wrote: > On Wed, Nov 24, 2021 at 12:08:18PM +0800, yangerkun wrote: >> start = offset >> hpage_shift; >> - end = (offset + len + hpage_size - 1) >> hpage_shift; >> + end = ((unsigned long long)offset + len + hpage_size - 1) >> + >> hpage_shift; > > + end = DIV_ROUND_UP_ULL(offset + len, hpage_size); Thanks, will do it in v2! > . >
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 49d2e686be74..8012a14901de 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -651,7 +651,8 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, * as well as being converted to page offsets. */ start = offset >> hpage_shift; - end = (offset + len + hpage_size - 1) >> hpage_shift; + end = ((unsigned long long)offset + len + hpage_size - 1) + >> hpage_shift; inode_lock(inode);
luojiajun report a problem[1] two years ago which seems still exists in mainline. vfs_fallocate can avoid 'offset + len' trigger overflow, but 'offset + len + hpage_size - 1' may overflow too and will lead to a wrong 'end'. luojiajun give a solution which can fix the wrong 'end' but leave the overflow still happened. We should fix it by transfer 'offset' to unsigned long long. [1] https://patchwork.kernel.org/project/linux-mm/patch/1554775226-67213-1-git-send-email-luojiajun3@huawei.com/ Signed-off-by: yangerkun <yangerkun@huawei.com> --- fs/hugetlbfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)