luojiajun report a problem[1] two years ago which seems still exists in
mainline. vfs_fallocate can avoid 'offset + len' trigger overflow, but
'offset + len + hpage_size - 1' may overflow too and will lead to a
wrong 'end'. luojiajun give a solution which can fix the wrong 'end'
but leave the overflow still happened. We should fix it by transfer
'offset' to unsigned long long.
[1] https://patchwork.kernel.org/project/linux-mm/patch/1554775226-67213-1-git-send-email-luojiajun3@huawei.com/
Signed-off-by: yangerkun <redacted>
---
fs/hugetlbfs/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 49d2e686be74..8012a14901de 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -651,7 +651,8 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset,
* as well as being converted to page offsets.
*/
start = offset >> hpage_shift;
- end = (offset + len + hpage_size - 1) >> hpage_shift;
+ end = ((unsigned long long)offset + len + hpage_size - 1)
+ >> hpage_shift;
inode_lock(inode);
--
2.31.1