From: "David Hildenbrand (Red Hat)" <david@kernel.org>
To: klourencodev@gmail.com, linux-mm@kvack.org
Cc: akpm@linux-foundation.org, Kevin Lourenco <k.lourenco@criteo.com>
Subject: Re: [PATCH] mm/fadvise: validate offset in generic_fadvise
Date: Tue, 23 Dec 2025 10:45:11 +0100 [thread overview]
Message-ID: <961095cd-59d2-454a-9b97-493d12f296a1@kernel.org> (raw)
In-Reply-To: <20251222141817.13335-1-klourencodev@gmail.com>
On 12/22/25 15:18, klourencodev@gmail.com wrote:
> From: Kevin Lourenco <klourencodev@gmail.com>
>
> When converted to (u64) for page calculations, a negative offset
> can produce extremely large page indices. This may lead to issues in certain advice modes (excessive readahead or
> cache invalidation)
>
> offsets are normally non-negative, but the API does not guarantee this. Since 'len' is already
> validated, checking 'offset' here is reasonable to prevent potential system instability.
Hi,
we tend to break lines as 72 chars in the patch description. I assume
Andrew will fix that up or already did it :)
>
> Signed-off-by: Kevin Lourenco <k.lourenco@criteo.com>
> ---
> mm/fadvise.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/fadvise.c b/mm/fadvise.c
> index 67028e30aa91..b63fe21416ff 100644
> --- a/mm/fadvise.c
> +++ b/mm/fadvise.c
> @@ -43,7 +43,7 @@ int generic_fadvise(struct file *file, loff_t offset, loff_t len, int advice)
> return -ESPIPE;
>
> mapping = file->f_mapping;
> - if (!mapping || len < 0)
> + if (!mapping || len < 0 || offset < 0)
> return -EINVAL;
>
> bdi = inode_to_bdi(mapping->host);
The man page of fadvise64()/posix_madvise() is a bit unclear. It doesn't
really specify what's supposed to happen on negative size or offset.
Staring at test cases in LTP, we seem to have:
* Check the value that posix_fadvise returns for wrong ADVISE value
* Check the value that posix_fadvise returns for wrong file descriptor
* Check the value that posix_fadvise returns for wrong ADVISE value
* Check the value that posix_fadvise returns for pipe descriptor
And we primarily only seem to test what's documented in the man page to
fail.
Which raises the questions:
(1) Could we accidentally break some users out there?
(2) Should we update the man page to document what is supposed to happen
with negative size or offset.
--
Cheers
David
next prev parent reply other threads:[~2025-12-23 9:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-22 14:18 klourencodev
2025-12-22 17:52 ` Andrew Morton
2025-12-22 23:38 ` Kevin Lourenco
2025-12-23 9:45 ` David Hildenbrand (Red Hat) [this message]
2025-12-23 16:16 ` Kevin Lourenco
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=961095cd-59d2-454a-9b97-493d12f296a1@kernel.org \
--to=david@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=k.lourenco@criteo.com \
--cc=klourencodev@gmail.com \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox