From patchwork Wed Nov 24 06:24:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: yangerkun X-Patchwork-Id: 12636139 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B5B6C433F5 for ; Wed, 24 Nov 2021 06:13:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 857BF6B0075; Wed, 24 Nov 2021 01:12:53 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 807716B0078; Wed, 24 Nov 2021 01:12:53 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 71D536B007B; Wed, 24 Nov 2021 01:12:53 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0150.hostedemail.com [216.40.44.150]) by kanga.kvack.org (Postfix) with ESMTP id 639496B0075 for ; Wed, 24 Nov 2021 01:12:53 -0500 (EST) Received: from smtpin02.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 285A71852336E for ; Wed, 24 Nov 2021 06:12:43 +0000 (UTC) X-FDA: 78842805006.02.72C5BC8 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by imf29.hostedemail.com (Postfix) with ESMTP id C4C9A9000ECF for ; Wed, 24 Nov 2021 06:12:39 +0000 (UTC) Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HzVz11r5xz91Ht; Wed, 24 Nov 2021 14:12:13 +0800 (CST) Received: from kwepemm600019.china.huawei.com (7.193.23.64) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Wed, 24 Nov 2021 14:12:39 +0800 Received: from localhost.localdomain (10.175.127.227) by kwepemm600019.china.huawei.com (7.193.23.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Wed, 24 Nov 2021 14:12:39 +0800 From: yangerkun To: , CC: , , , Subject: [PATCH v2] hugetlbfs: avoid overflow in hugetlbfs_fallocate Date: Wed, 24 Nov 2021 14:24:52 +0800 Message-ID: <20211124062452.2343575-1-yangerkun@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemm600019.china.huawei.com (7.193.23.64) X-CFilter-Loop: Reflected X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: C4C9A9000ECF X-Stat-Signature: e67isgar9zmr9xy1n46bkzq9dzw8m4jc Authentication-Results: imf29.hostedemail.com; dkim=none; spf=pass (imf29.hostedemail.com: domain of yangerkun@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=yangerkun@huawei.com; dmarc=pass (policy=quarantine) header.from=huawei.com X-HE-Tag: 1637734359-169881 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: luojiajun report a problem[1] two years ago which seems still exists in mainline. vfs_fallocate can avoid 'offset + len' trigger overflow, but 'offset + len + hpage_size - 1' may overflow too and will lead to a wrong 'end'. luojiajun give a solution which can fix the wrong 'end' but leave the overflow still happened. Fix it with DIV_ROUND_UP_ULL. [1] https://patchwork.kernel.org/project/linux-mm/patch/1554775226-67213-1-git-send-email-luojiajun3@huawei.com/ Signed-off-by: yangerkun Reviewed-by: Mike Kravetz --- fs/hugetlbfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 49d2e686be74..92ac056e8011 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -651,7 +651,7 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, * as well as being converted to page offsets. */ start = offset >> hpage_shift; - end = (offset + len + hpage_size - 1) >> hpage_shift; + end = DIV_ROUND_UP_ULL(offset + len, hpage_size); inode_lock(inode);