On April 12, 2017 6:52 AM Mike Kravetz wrote: > > If mmap() maps a file, it can be passed an offset into the file at > which the mapping is to start. Offset could be a negative value when > represented as a loff_t. The offset plus length will be used to > update the file size (i_size) which is also a loff_t. Validate the > value of offset and offset + length to make sure they do not overflow > and appear as negative. > > Found by syzcaller with commit ff8c0c53c475 ("mm/hugetlb.c: don't call > region_abort if region_chg fails") applied. Prior to this commit, the > overflow would still occur but we would luckily return ENOMEM. > To reproduce: > mmap(0, 0x2000, 0, 0x40021, 0xffffffffffffffffULL, 0x8000000000000000ULL); > > Resulted in, > kernel BUG at mm/hugetlb.c:742! > Call Trace: > hugetlbfs_evict_inode+0x80/0xa0 > ? hugetlbfs_setattr+0x3c0/0x3c0 > evict+0x24a/0x620 > iput+0x48f/0x8c0 > dentry_unlink_inode+0x31f/0x4d0 > __dentry_kill+0x292/0x5e0 > dput+0x730/0x830 > __fput+0x438/0x720 > ____fput+0x1a/0x20 > task_work_run+0xfe/0x180 > exit_to_usermode_loop+0x133/0x150 > syscall_return_slowpath+0x184/0x1c0 > entry_SYSCALL_64_fastpath+0xab/0xad > > Reported-by: Vegard Nossum <vegard.nossum@xxxxxxxxx> > Signed-off-by: Mike Kravetz <mike.kravetz@xxxxxxxxxx> > --- Acked-by: Hillf Danton <hillf.zj@xxxxxxxxxxxxxxx> -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>