Hello Mike Kravetz,
The patch 045c7a3f53d9: "hugetlbfs: fix offset overflow in hugetlbfs
mmap" from Apr 13, 2017, leads to the following static checker
warning:
fs/hugetlbfs/inode.c:152 hugetlbfs_file_mmap()
warn: signed overflow undefined. 'vma_len + (vma->vm_pgoff << 12) < vma_len'
fs/hugetlbfs/inode.c
121 static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
122 {
123 struct inode *inode = file_inode(file);
124 loff_t len, vma_len;
125 int ret;
126 struct hstate *h = hstate_file(file);
127
128 /*
129 * vma address alignment (but not the pgoff alignment) has
130 * already been checked by prepare_hugepage_range. If you add
131 * any error returns here, do so after setting VM_HUGETLB, so
132 * is_vm_hugetlb_page tests below unmap_region go the right
133 * way when do_mmap_pgoff unwinds (may be important on powerpc
134 * and ia64).
135 */
136 vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
137 vma->vm_ops = &hugetlb_vm_ops;
138
139 /*
140 * Offset passed to mmap (before page shift) could have been
141 * negative when represented as a (l)off_t.
142 */
143 if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0)
144 return -EINVAL;
145
146 if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
147 return -EINVAL;
148
149 vma_len = (loff_t)(vma->vm_end - vma->vm_start);
150 len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
151 /* check for overflow */
152 if (len < vma_len)
^^^^^^^^^^^^^
This is undefined in C. I think with kernel GCC options it's safe these
days, but I can't swear on it.
153 return -EINVAL;
154
155 inode_lock(inode);
156 file_accessed(file);
regards,
dan carpenter
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
