• M
    hugetlbfs: fix offset overflow in hugetlbfs mmap · 045c7a3f
    Mike Kravetz 提交于
    If mmap() maps a file, it can be passed an offset into the file at which
    the mapping is to start.  Offset could be a negative value when
    represented as a loff_t.  The offset plus length will be used to update
    the file size (i_size) which is also a loff_t.
    
    Validate the value of offset and offset + length to make sure they do
    not overflow and appear as negative.
    
    Found by syzcaller with commit ff8c0c53 ("mm/hugetlb.c: don't call
    region_abort if region_chg fails") applied.  Prior to this commit, the
    overflow would still occur but we would luckily return ENOMEM.
    
    To reproduce:
    
       mmap(0, 0x2000, 0, 0x40021, 0xffffffffffffffffULL, 0x8000000000000000ULL);
    
    Resulted in,
    
      kernel BUG at mm/hugetlb.c:742!
      Call Trace:
       hugetlbfs_evict_inode+0x80/0xa0
       evict+0x24a/0x620
       iput+0x48f/0x8c0
       dentry_unlink_inode+0x31f/0x4d0
       __dentry_kill+0x292/0x5e0
       dput+0x730/0x830
       __fput+0x438/0x720
       ____fput+0x1a/0x20
       task_work_run+0xfe/0x180
       exit_to_usermode_loop+0x133/0x150
       syscall_return_slowpath+0x184/0x1c0
       entry_SYSCALL_64_fastpath+0xab/0xad
    
    Fixes: ff8c0c53 ("mm/hugetlb.c: don't call region_abort if region_chg fails")
    Link: http://lkml.kernel.org/r/1491951118-30678-1-git-send-email-mike.kravetz@oracle.comReported-by: NVegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: NMike Kravetz <mike.kravetz@oracle.com>
    Acked-by: NHillf Danton <hillf.zj@alibaba-inc.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
    Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
    045c7a3f
inode.c 34.7 KB