From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.3 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_2 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F4C5C432C3 for ; Fri, 15 Nov 2019 13:52:22 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E84B920732 for ; Fri, 15 Nov 2019 13:52:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lca.pw header.i=@lca.pw header.b="U9usOCz4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E84B920732 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=lca.pw Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 6ABCE6B0008; Fri, 15 Nov 2019 08:52:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 65B7F6B000E; Fri, 15 Nov 2019 08:52:21 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5721A6B0010; Fri, 15 Nov 2019 08:52:21 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0138.hostedemail.com [216.40.44.138]) by kanga.kvack.org (Postfix) with ESMTP id 41DC26B0008 for ; Fri, 15 Nov 2019 08:52:21 -0500 (EST) Received: from smtpin05.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with SMTP id 16E12181AEF09 for ; Fri, 15 Nov 2019 13:52:21 +0000 (UTC) X-FDA: 76158651282.05.spade23_88decf17c5e60 X-HE-Tag: spade23_88decf17c5e60 X-Filterd-Recvd-Size: 5528 Received: from mail-qv1-f66.google.com (mail-qv1-f66.google.com [209.85.219.66]) by imf07.hostedemail.com (Postfix) with ESMTP for ; Fri, 15 Nov 2019 13:52:20 +0000 (UTC) Received: by mail-qv1-f66.google.com with SMTP id cv8so3635383qvb.3 for ; Fri, 15 Nov 2019 05:52:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=En/i0mthZpZvBiVTNrAQOYo+mL/zOQQWMDgCZMT6UJQ=; b=U9usOCz4Y+Ccrh7wRKgnYMkH+xsOZmCuF7gaEx2tjqr7dKhq3Z+b1BymHlSEHrX5nt ZteIpssn+vyYSN+svr6MeeQlHGhb9jGBT4PnxEyjllUQgatqf/VQvENyRfrvsp8JL6AC KwzZaQQWO81+kuGADVx7XcGx683FL14k1I+4aICU3bIFsHUWr6C8OWcmlMVdrTuaQtBP 1WR1ug+O0ZFEyynl6Sz7C8CbxH4SmnamIByRA7R12spu75GnZh1BBSZgscGrYee1BaCW hYVcfXIFx6zfD2u5AET57EfI06qxW93ooy2yDOiWjkBmSWRuBSzJx37tQ01Uw+wcxf2u GFCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=En/i0mthZpZvBiVTNrAQOYo+mL/zOQQWMDgCZMT6UJQ=; b=pJQPn7K9VVxoLpIBxOFvYWoJUNmCl4T9kJpGBsKCgTtVkh+VT7Ap6W31/Tk0Gf5zLV 5/DbNEbINKCMw8qrmAqlNeM3dgg3pE5mmL+WnDgIxYTBokr04UQUTIF9u6Yw3nVZ8RnL uH7bsURn5uErpI/lrDouJgUBN+Esny5RgSDJA1vHTm5tInWPOPIo9KZGhzIX5x58dysh PyfpQVTa3xBiGPIXwrNCXRA3NQvv/8leYuJMYI11wWxgu09+BfUhOojWqPZwLDd9yprt 6JS7dadKrarN5IVyrhcowLXepU16Ba5Gewzccl2s8dQFbNCmCveRi2bGN6KaHcIBXDqy XNeg== X-Gm-Message-State: APjAAAU+2+Y7rK7eFYONTRi24CmNDPdMQhP5QhttPzR/NFovAVyua7Bh 25tZMjuBW8sKA1iJd8Zbs3PeKw== X-Google-Smtp-Source: APXvYqytHn9HhD1jy+wId5udh+kHrIxZOaT+/DdqUVP3yjcLOnxpCq+mp+CUdHmlDhG79M9Lf2FejA== X-Received: by 2002:a0c:b88f:: with SMTP id y15mr13590929qvf.161.1573825939616; Fri, 15 Nov 2019 05:52:19 -0800 (PST) Received: from dhcp-41-57.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id x203sm4206111qkb.11.2019.11.15.05.52.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Nov 2019 05:52:19 -0800 (PST) Message-ID: <1573825937.5937.126.camel@lca.pw> Subject: Re: [PATCH] mm: Cast the type of unmap_start to u64 From: Qian Cai To: Chen Jun , Hugh Dickins , linux-mm@kvack.org Cc: Andrew Morton , linux-kernel@vger.kernel.org, wangkefeng.wang@huawei.com Date: Fri, 15 Nov 2019 08:52:17 -0500 In-Reply-To: <1573867464-5107-1-git-send-email-chenjun102@huawei.com> References: <1573867464-5107-1-git-send-email-chenjun102@huawei.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-10.el7) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, 2019-11-15 at 20:24 -0500, Chen Jun wrote: > In 64bit system. sb->s_maxbytes of shmem filesystem is MAX_LFS_FILESIZE, > which equal LLONG_MAX. > If offset > LLONG_MAX - PAGE_SIZE, offset + len < LLONG_MAX in > shmem_fallocate, which will pass the checking in vfs_fallocate. > /* Check for wrap through zero too */ > if (((offset + len) > inode->i_sb->s_maxbytes) || ((offset + len) < 0)) > return -EFBIG; > > loff_t unmap_start = round_up(offset, PAGE_SIZE) in shmem_fallocate > causes a overflow. > > Syzkaller reports a overflow problem in mm/shmem: > UBSAN: Undefined behaviour in mm/shmem.c:2014:10 What is the syzkaller reproducer if any? > signed integer overflow: > '9223372036854775807 + 1' cannot be represented in type 'long long int' > CPU: 0 PID:17076 Comm: syz-executor0 Not tainted 4.1.46+ #1 > Hardware name: linux, dummy-virt (DT) > Call trace: > [] dump_backtrace+0x0/0x2c8 arch/arm64/kernel/traps.c:100 > [] show_stack+0x20/0x30 arch/arm64/kernel/traps.c:238 > [] __dump_stack lib/dump_stack.c:15 [inline] > [] ubsan_epilogue+0x18/0x70 lib/ubsan.c:164 > [] handle_overflow+0x158/0x1b0 lib/ubsan.c:195 > [] shmem_fallocate+0x6d0/0x820 mm/shmem.c:2104 > [] vfs_fallocate+0x238/0x428 fs/open.c:312 > [] SYSC_fallocate fs/open.c:335 [inline] > [] SyS_fallocate+0x54/0xc8 fs/open.c:239 > > The highest bit of unmap_start will be appended with sign bit 1 (overflow) > when calculate shmem_falloc.start: > shmem_falloc.start = unmap_start >> PAGE_SHIFT. > > Fix it by casting the type of unmap_start to u64, when right shifted. > > This bug is found in LTS Linux 4.1. It also seems to exist in mainline. > > Signed-off-by: Chen Jun > --- > mm/shmem.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/shmem.c b/mm/shmem.c > index e9342c3..82cebbc 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -2717,7 +2717,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, > } > > shmem_falloc.waitq = &shmem_falloc_waitq; > - shmem_falloc.start = unmap_start >> PAGE_SHIFT; > + shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT; > shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT; > spin_lock(&inode->i_lock); > inode->i_private = &shmem_falloc;