On Thu, May 28, 2020 at 5:04 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > if (*ppos >= i_size_read(inode)) > return 0; > > + /* don't read past the lvb */ > + if (count > i_size_read(inode) - *ppos) > + count = i_size_read(inode) - *ppos; This isn't a new problem, since you effectively just moved this code, but it's perhaps more obvious now.. "i_size_read()" is not necessarily stable - we do special things on 32-bit to make sure that we get _a_ stable value for it, but it's not necessarily guaranteed to be the same value when called twice. Think concurrent pread() with a write.. So the inode size could change in between those two accesses, and the subtraction might end up underflowing despite the check just above. This might not be an issue with ocfs2 (I didn't check locking), but .. Linus