(switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Fri, 22 Jun 2018 23:37:27 +0000 bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote: > https://bugzilla.kernel.org/show_bug.cgi?id=200209 > > Bug ID: 200209 > Summary: UBSAN: Undefined behaviour in mm/fadvise.c:LINE > Product: Memory Management > Version: 2.5 > Kernel Version: v4.18-rc2 > Hardware: All > OS: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Page Allocator > Assignee: akpm@xxxxxxxxxxxxxxxxxxxx > Reporter: icytxw@xxxxxxxxx > Regression: No > > Hi, > This bug was found in Linux Kernel v4.18-rc2 > > $ cat report0 > ================================================================================ > UBSAN: Undefined behaviour in mm/fadvise.c:76:10 > signed integer overflow: > 4 + 9223372036854775805 cannot be represented in type 'long long int' > CPU: 0 PID: 13477 Comm: syz-executor1 Not tainted 4.18.0-rc1 #2 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS > rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x122/0x1c8 lib/dump_stack.c:113 > ubsan_epilogue+0x12/0x86 lib/ubsan.c:159 > handle_overflow+0x1c2/0x21f lib/ubsan.c:190 > __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198 > ksys_fadvise64_64+0xbf0/0xd10 mm/fadvise.c:76 > __do_sys_fadvise64 mm/fadvise.c:198 [inline] > __se_sys_fadvise64 mm/fadvise.c:196 [inline] > __x64_sys_fadvise64+0xa9/0x120 mm/fadvise.c:196 > do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 That overflow is deliberate: endbyte = offset + len; if (!len || endbyte < len) endbyte = -1; else endbyte--; /* inclusive */ Or is there a hole in this logic? If not, I guess ee can do this another way to keep the checker happy.
