Hi maintainers. Kindly ping. On 2023/3/6 19:33, Wupeng Ma wrote: > From: Ma Wupeng <mawupeng1@xxxxxxxxxx> > > Our own test reports a UBSAN in truncate_pagecache: > > UBSAN: Undefined behaviour in mm/truncate.c:788:9 > signed integer overflow: > 9223372036854775807 + 1 cannot be represented in type 'long long int' > > Call Trace: > truncate_pagecache+0xd4/0xe0 > truncate_setsize+0x70/0x88 > simple_setattr+0xdc/0x100 > notify_change+0x654/0xb00 > do_truncate+0x108/0x1a8 > do_sys_ftruncate+0x2ec/0x4a0 > __arm64_sys_ftruncate+0x5c/0x80 > > For huge file which pass LONG_MAX to ftruncate, truncate_pagecache() will > be called to truncate with newsize be LONG_MAX which will lead to > overflow for holebegin: > > loff_t holebegin = round_up(newsize, PAGE_SIZE); > > Since there is no meaning to truncate a file to LONG_MAX, return here > to avoid burn a bunch of cpu cycles. > > Signed-off-by: Ma Wupeng <mawupeng1@xxxxxxxxxx> > --- > mm/truncate.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/mm/truncate.c b/mm/truncate.c > index 7b4ea4c4a46b..99b6ce2d669b 100644 > --- a/mm/truncate.c > +++ b/mm/truncate.c > @@ -730,6 +730,9 @@ void truncate_pagecache(struct inode *inode, loff_t newsize) > struct address_space *mapping = inode->i_mapping; > loff_t holebegin = round_up(newsize, PAGE_SIZE); > > + if (holebegin < 0) > + return; > + > /* > * unmap_mapping_range is called twice, first simply for > * efficiency so that truncate_inode_pages does fewer
