"offset + len" has the potential of overflowing. Validate this user input first to avoid undefined behaviour. Signed-off-by: Sasha Levin <sasha.levin@xxxxxxxxxx> --- mm/shmem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/shmem.c b/mm/shmem.c index 185836b..5a0e344 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2098,6 +2098,9 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, } /* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */ + error = -EOVERFLOW; + if ((u64)len + offset < (u64)len) + goto out; error = inode_newsize_ok(inode, offset + len); if (error) goto out; -- 1.7.10.4 -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>