* [PATCH] mm: Return early in truncate_pagecache if newsize overflows
@ 2023-03-06 11:33 Wupeng Ma
2023-03-23 11:56 ` mawupeng
2023-03-23 21:40 ` Andrew Morton
0 siblings, 2 replies; 3+ messages in thread
From: Wupeng Ma @ 2023-03-06 11:33 UTC (permalink / raw)
To: akpm, willy; +Cc: linux-fsdevel, linux-kernel, linux-mm, mawupeng1
From: Ma Wupeng <mawupeng1@huawei.com>
Our own test reports a UBSAN in truncate_pagecache:
UBSAN: Undefined behaviour in mm/truncate.c:788:9
signed integer overflow:
9223372036854775807 + 1 cannot be represented in type 'long long int'
Call Trace:
truncate_pagecache+0xd4/0xe0
truncate_setsize+0x70/0x88
simple_setattr+0xdc/0x100
notify_change+0x654/0xb00
do_truncate+0x108/0x1a8
do_sys_ftruncate+0x2ec/0x4a0
__arm64_sys_ftruncate+0x5c/0x80
For huge file which pass LONG_MAX to ftruncate, truncate_pagecache() will
be called to truncate with newsize be LONG_MAX which will lead to
overflow for holebegin:
loff_t holebegin = round_up(newsize, PAGE_SIZE);
Since there is no meaning to truncate a file to LONG_MAX, return here
to avoid burn a bunch of cpu cycles.
Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
mm/truncate.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mm/truncate.c b/mm/truncate.c
index 7b4ea4c4a46b..99b6ce2d669b 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -730,6 +730,9 @@ void truncate_pagecache(struct inode *inode, loff_t newsize)
struct address_space *mapping = inode->i_mapping;
loff_t holebegin = round_up(newsize, PAGE_SIZE);
+ if (holebegin < 0)
+ return;
+
/*
* unmap_mapping_range is called twice, first simply for
* efficiency so that truncate_inode_pages does fewer
--
2.25.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] mm: Return early in truncate_pagecache if newsize overflows
2023-03-06 11:33 [PATCH] mm: Return early in truncate_pagecache if newsize overflows Wupeng Ma
@ 2023-03-23 11:56 ` mawupeng
2023-03-23 21:40 ` Andrew Morton
1 sibling, 0 replies; 3+ messages in thread
From: mawupeng @ 2023-03-23 11:56 UTC (permalink / raw)
To: akpm, willy; +Cc: mawupeng1, linux-fsdevel, linux-kernel, linux-mm
Hi maintainers.
Kindly ping.
On 2023/3/6 19:33, Wupeng Ma wrote:
> From: Ma Wupeng <mawupeng1@huawei.com>
>
> Our own test reports a UBSAN in truncate_pagecache:
>
> UBSAN: Undefined behaviour in mm/truncate.c:788:9
> signed integer overflow:
> 9223372036854775807 + 1 cannot be represented in type 'long long int'
>
> Call Trace:
> truncate_pagecache+0xd4/0xe0
> truncate_setsize+0x70/0x88
> simple_setattr+0xdc/0x100
> notify_change+0x654/0xb00
> do_truncate+0x108/0x1a8
> do_sys_ftruncate+0x2ec/0x4a0
> __arm64_sys_ftruncate+0x5c/0x80
>
> For huge file which pass LONG_MAX to ftruncate, truncate_pagecache() will
> be called to truncate with newsize be LONG_MAX which will lead to
> overflow for holebegin:
>
> loff_t holebegin = round_up(newsize, PAGE_SIZE);
>
> Since there is no meaning to truncate a file to LONG_MAX, return here
> to avoid burn a bunch of cpu cycles.
>
> Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
> ---
> mm/truncate.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mm/truncate.c b/mm/truncate.c
> index 7b4ea4c4a46b..99b6ce2d669b 100644
> --- a/mm/truncate.c
> +++ b/mm/truncate.c
> @@ -730,6 +730,9 @@ void truncate_pagecache(struct inode *inode, loff_t newsize)
> struct address_space *mapping = inode->i_mapping;
> loff_t holebegin = round_up(newsize, PAGE_SIZE);
>
> + if (holebegin < 0)
> + return;
> +
> /*
> * unmap_mapping_range is called twice, first simply for
> * efficiency so that truncate_inode_pages does fewer
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] mm: Return early in truncate_pagecache if newsize overflows
2023-03-06 11:33 [PATCH] mm: Return early in truncate_pagecache if newsize overflows Wupeng Ma
2023-03-23 11:56 ` mawupeng
@ 2023-03-23 21:40 ` Andrew Morton
1 sibling, 0 replies; 3+ messages in thread
From: Andrew Morton @ 2023-03-23 21:40 UTC (permalink / raw)
To: Wupeng Ma; +Cc: willy, linux-fsdevel, linux-kernel, linux-mm
On Mon, 6 Mar 2023 19:33:17 +0800 Wupeng Ma <mawupeng1@huawei.com> wrote:
> From: Ma Wupeng <mawupeng1@huawei.com>
>
> Our own test reports a UBSAN in truncate_pagecache:
>
> UBSAN: Undefined behaviour in mm/truncate.c:788:9
> signed integer overflow:
> 9223372036854775807 + 1 cannot be represented in type 'long long int'
>
> Call Trace:
> truncate_pagecache+0xd4/0xe0
> truncate_setsize+0x70/0x88
> simple_setattr+0xdc/0x100
> notify_change+0x654/0xb00
> do_truncate+0x108/0x1a8
> do_sys_ftruncate+0x2ec/0x4a0
> __arm64_sys_ftruncate+0x5c/0x80
>
> For huge file which pass LONG_MAX to ftruncate, truncate_pagecache() will
> be called to truncate with newsize be LONG_MAX which will lead to
> overflow for holebegin:
>
> loff_t holebegin = round_up(newsize, PAGE_SIZE);
>
> Since there is no meaning to truncate a file to LONG_MAX, return here
> to avoid burn a bunch of cpu cycles.
>
> ...
>
> --- a/mm/truncate.c
> +++ b/mm/truncate.c
> @@ -730,6 +730,9 @@ void truncate_pagecache(struct inode *inode, loff_t newsize)
> struct address_space *mapping = inode->i_mapping;
> loff_t holebegin = round_up(newsize, PAGE_SIZE);
>
> + if (holebegin < 0)
> + return;
> +
It's awkward to perform an operation which might experience overflow
and to then test the possibly-overflowed result! In fact it might
still generate the UBSAN warning, depending on what the compiler
decides to do with it all.
So wouldn't it be better to check the input argument *before*
performing these operations on it? Preferably with a code comment
which explains the reason for the check, please.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-03-23 21:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-06 11:33 [PATCH] mm: Return early in truncate_pagecache if newsize overflows Wupeng Ma
2023-03-23 11:56 ` mawupeng
2023-03-23 21:40 ` Andrew Morton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox