On Tue, Apr 09, 2019 at 10:00:26AM +0800, luojiajun wrote: > In hugetlbfs_fallocate, start is rounded down and end is rounded up. > But it is inappropriate to use loff_t rounding up end, it may cause > overflow. > > UBSAN: Undefined behaviour in fs/hugetlbfs/inode.c:582:22 > signed integer overflow: > 2097152 + 9223372036854775805 cannot be represented in type 'long long int' This patch can't fix this bug. > @@ -578,8 +578,9 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset, > * For this range, start is rounded down and end is rounded up > * as well as being converted to page offsets. > */ > - start = offset >> hpage_shift; > - end = (offset + len + hpage_size - 1) >> hpage_shift; > + start = (unsigned long long)offset >> hpage_shift; > + end = ((unsigned long long)(offset + len + hpage_size) - 1) > + >> hpage_shift; I suspect you mean: end = (((unsigned long long)offset + len + hpage_size) - 1) >> hpage_shift; Otherwise, you're going to do the arithmetic in long long, then cast to unsigned long long before the shift. BTW, don't say "this can be reproduced using syzcaller". This is an easy case to extract a small reproducer from ... which would have helped you notice that you haven't fixed the problem.
