From patchwork Mon Mar  6 11:33:17 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: mawupeng <mawupeng1@huawei.com>
X-Patchwork-Id: 13160994
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A5ACEC678D4
	for <linux-mm@archiver.kernel.org>; Mon,  6 Mar 2023 11:33:33 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 280F1280002; Mon,  6 Mar 2023 06:33:33 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 23092280001; Mon,  6 Mar 2023 06:33:33 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 126D0280002; Mon,  6 Mar 2023 06:33:33 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id F2A98280001
	for <linux-mm@kvack.org>; Mon,  6 Mar 2023 06:33:32 -0500 (EST)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id AC906140C5A
	for <linux-mm@kvack.org>; Mon,  6 Mar 2023 11:33:32 +0000 (UTC)
X-FDA: 80538263064.07.874E0E5
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
	by imf24.hostedemail.com (Postfix) with ESMTP id 45486180014
	for <linux-mm@kvack.org>; Mon,  6 Mar 2023 11:33:28 +0000 (UTC)
Authentication-Results: imf24.hostedemail.com;
	dkim=none;
	spf=pass (imf24.hostedemail.com: domain of mawupeng1@huawei.com designates
 45.249.212.188 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1678102410;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references; bh=Jp/umWUqzoHIcv0LfjOfOD/fmfXlTALX/82dBZbFAbY=;
	b=nSVwKYXjxKQULpxtUtvP0SAZtEW12QUdmoY18iR5yNgnHpqmlFUJwitcuzjIS7BA4eIpDQ
	ONDFavMiZvAIHo/wwziUHzMbI4uLnOsmfmZGYu3/H8OK4B8+uG/zTGKGtajDhoYUvJDC+F
	zmqylcBBNcb5hBr9E8PDOwpv0FGQC3Y=
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=none;
	spf=pass (imf24.hostedemail.com: domain of mawupeng1@huawei.com designates
 45.249.212.188 as permitted sender) smtp.mailfrom=mawupeng1@huawei.com;
	dmarc=pass (policy=quarantine) header.from=huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678102410; a=rsa-sha256;
	cv=none;
	b=C1qsi9wyfttYk5AFT9j4s/R1BbJM4TmbQUAE+2c60/QuhVpBBedI+jXuxCu67r9PiPEmmH
	/Abp8wkEnLy9QmyoXqXgCvSB80SzvgpAaxtE6NoqqaSCC4VzD7BfIHfvLlSU1oVR7twULF
	MPOy6Wz5nH0IfPfuQueLFWnBXhWOzYM=
Received: from dggpemm500014.china.huawei.com (unknown [172.30.72.55])
	by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4PVbxg06k5zKq0x;
	Mon,  6 Mar 2023 19:31:19 +0800 (CST)
Received: from localhost.localdomain (10.175.112.125) by
 dggpemm500014.china.huawei.com (7.185.36.153) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.21; Mon, 6 Mar 2023 19:33:21 +0800
From: Wupeng Ma <mawupeng1@huawei.com>
To: <akpm@linux-foundation.org>, <willy@infradead.org>
CC: <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<linux-mm@kvack.org>, <mawupeng1@huawei.com>
Subject: [PATCH] mm: Return early in truncate_pagecache if newsize overflows
Date: Mon, 6 Mar 2023 19:33:17 +0800
Message-ID: <20230306113317.2295343-1-mawupeng1@huawei.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Originating-IP: [10.175.112.125]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 dggpemm500014.china.huawei.com (7.185.36.153)
X-CFilter-Loop: Reflected
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Stat-Signature: okhy5qquerb54smdy4ppmwd5zjdy4mcx
X-Rspamd-Queue-Id: 45486180014
X-HE-Tag: 1678102408-410544
X-HE-Meta: 
 U2FsdGVkX19rcAfY2o1Ct5bAr056ncDnukgZy+Qwc4M8FITybKwgOpSKXDhpYNIJMWZOgSjmBZaXPiFQM6YazoDWCO+vr43t8oe8CCCvjdh7ETxvLWjkkCMGrLPlJQukHu+4aekNeKP8+0dgIbQW89w+wJTDq1uFeCeYU3kAz0rCjzO+3WKuqP3GtXbu/iE47HmTIcjQ32mVsA2QXSssvdm2qV74UQFmc1Q2/oHtbC2hckYN8m6flUqgmGL/X66WLpbnJ9WGH+G00u5EqqiFXMIXab6CRS4CCR5nTONrERP8zUZpheefpFGUUfwMixJzOSJf/FoiBb6sTYcF32FlojH6TxG2AxSN5sQTHyc32CIOeYSyBtRf3laiY+obR83c9BAoVxxiLWVKbhoHndSCNLKU0diEPZya+7O4hCXxeMFnI5iqZuIgu81GuB4VBeuiW7D/fW66P6cXJXO6xEiTwpZzXX7C8onULWIAsz9rN06RBsF1SASZ4zaNMophFPdZMCj39OJDfzKhLc4AcnzpXfxrfH4C1pG/sZ0jwrtaAz4xjeGz17N9wfPEBSnHIzPjhBiviGN+O3E4jZ2zxoXOarPUenU0SqxH5C/XGvZXxQUHphp0WPuIpTCsHNW0S3IWPgj3ZRmr/Htm0OIpeU3iO/7+2wCEzS1ygb1a2/zQAIsjxmZOeKZ6BN05NIfjfhD/nPq19mVzcPU6pbRMSSGEk/sd++s3/4UFoXCFjxb6t8Hxd2lQfjMLFGPFKvRpd2RDw21LcMeffgf8DEXvc5nmacB2cgjjic7ypaKzYUZZ7eaV3WyD/YFo8ILDZULiHj0k3JiBOizfm9HuVdTh3p9WBluM/E21lECVnKyaqUXPw9EpQBu5NDEgSfpRl8SDuhUo/ec7pL7DLM3z6HRSwQrT8aOl1eH5myyabTIO8ASMiZ0ZozBBQCRGGvi0DoRhsZim6V3YDRhDHys9J2WXttq
 q1qAqlX9
 vEt2ZO6yZneoCGgWbypxz46bSMVlTT3tahiOT/eRfhvJO+q2Kzv3eHHAkrqjKdoUTG4uv+nvlG5cL1BvE7L7rGqUeRTGcJMQjhDSKpd3KlIGdGsgBXZznfQbypYElfuW6AqIPCW0VgN1oBF1oznp0uM5oOnloTRITFy+O1ff7ER4XBtBC9B6J1nx+PY6w2b0VawMo2G2cBRqSOGw=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Ma Wupeng <mawupeng1@huawei.com>

Our own test reports a UBSAN in truncate_pagecache:

UBSAN: Undefined behaviour in mm/truncate.c:788:9
signed integer overflow:
9223372036854775807 + 1 cannot be represented in type 'long long int'

Call Trace:
  truncate_pagecache+0xd4/0xe0
  truncate_setsize+0x70/0x88
  simple_setattr+0xdc/0x100
  notify_change+0x654/0xb00
  do_truncate+0x108/0x1a8
  do_sys_ftruncate+0x2ec/0x4a0
  __arm64_sys_ftruncate+0x5c/0x80

For huge file which pass LONG_MAX to ftruncate, truncate_pagecache() will
be called to truncate with newsize be LONG_MAX which will lead to
overflow for holebegin:

  loff_t holebegin = round_up(newsize, PAGE_SIZE);

Since there is no meaning to truncate a file to LONG_MAX, return here
to avoid burn a bunch of cpu cycles.

Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>
---
 mm/truncate.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/truncate.c b/mm/truncate.c
index 7b4ea4c4a46b..99b6ce2d669b 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -730,6 +730,9 @@ void truncate_pagecache(struct inode *inode, loff_t newsize)
 	struct address_space *mapping = inode->i_mapping;
 	loff_t holebegin = round_up(newsize, PAGE_SIZE);
 
+	if (holebegin < 0)
+		return;
+
 	/*
 	 * unmap_mapping_range is called twice, first simply for
 	 * efficiency so that truncate_inode_pages does fewer