tree: git://git.cmpxchg.org/linux-mmotm.git master
head: ead058c4ec49752a4e0323368f1d695385c66020
commit: af7abfba1161d2814301844fe11adac16910ea80 [8/285] hugetlbfs-check-for-pgoff-value-overflow-v3
config: sh-defconfig (attached as .config)
compiler: sh4-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout af7abfba1161d2814301844fe11adac16910ea80
# save the attached .config to linux build tree
make.cross ARCH=sh
All warnings (new ones prefixed by >>):
fs//hugetlbfs/inode.c: In function 'hugetlbfs_file_mmap':
>> fs//hugetlbfs/inode.c:118:36: warning: left shift count is negative [-Wshift-count-negative]
#define PGOFF_LOFFT_MAX (PAGE_MASK << (BITS_PER_LONG - (2 * PAGE_SHIFT) - 1))
^
>> fs//hugetlbfs/inode.c:142:22: note: in expansion of macro 'PGOFF_LOFFT_MAX'
if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
^~~~~~~~~~~~~~~
vim +/PGOFF_LOFFT_MAX +142 fs//hugetlbfs/inode.c
110
111 /*
112 * Mask used when checking the page offset value passed in via system
113 * calls. This value will be converted to a loff_t which is signed.
114 * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the
115 * value. The extra bit (- 1 in the shift value) is to take the sign
116 * bit into account.
117 */
> 118 #define PGOFF_LOFFT_MAX (PAGE_MASK << (BITS_PER_LONG - (2 * PAGE_SHIFT) - 1))
119
120 static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
121 {
122 struct inode *inode = file_inode(file);
123 loff_t len, vma_len;
124 int ret;
125 struct hstate *h = hstate_file(file);
126
127 /*
128 * vma address alignment (but not the pgoff alignment) has
129 * already been checked by prepare_hugepage_range. If you add
130 * any error returns here, do so after setting VM_HUGETLB, so
131 * is_vm_hugetlb_page tests below unmap_region go the right
132 * way when do_mmap_pgoff unwinds (may be important on powerpc
133 * and ia64).
134 */
135 vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
136 vma->vm_ops = &hugetlb_vm_ops;
137
138 /*
139 * page based offset in vm_pgoff could be sufficiently large to
140 * overflow a (l)off_t when converted to byte offset.
141 */
> 142 if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
143 return -EINVAL;
144
145 /* must be huge page aligned */
146 if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
147 return -EINVAL;
148
149 vma_len = (loff_t)(vma->vm_end - vma->vm_start);
150 len = vma_len + ((loff_t)vma->vm_pgoff << PAGE_SHIFT);
151 /* check for overflow */
152 if (len < vma_len)
153 return -EINVAL;
154
155 inode_lock(inode);
156 file_accessed(file);
157
158 ret = -ENOMEM;
159 if (hugetlb_reserve_pages(inode,
160 vma->vm_pgoff >> huge_page_order(h),
161 len >> huge_page_shift(h), vma,
162 vma->vm_flags))
163 goto out;
164
165 ret = 0;
166 if (vma->vm_flags & VM_WRITE && inode->i_size < len)
167 i_size_write(inode, len);
168 out:
169 inode_unlock(inode);
170
171 return ret;
172 }
173
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Attachment:
.config.gz
Description: application/gzip
