Skip to content

Commit

Permalink
iomap: Fix overflow in iomap_page_mkwrite
Browse files Browse the repository at this point in the history 
On architectures where loff_t is wider than pgoff_t, the expression
((page->index + 1) << PAGE_SHIFT) can overflow.  Rewrite to use the page
offset, which we already compute here anyway.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
  • Loading branch information
Andreas Gruenbacher authored and Darrick J. Wong committed Nov 7, 2019
1 parent a901004 commit add66fc
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions fs/iomap/buffered-io.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1067,20 +1067,19 @@ vm_fault_t iomap_page_mkwrite(struct vm_fault *vmf, const struct iomap_ops *ops)

lock_page(page);
size = i_size_read(inode);
if ((page->mapping != inode->i_mapping) ||
(page_offset(page) > size)) {
offset = page_offset(page);
if (page->mapping != inode->i_mapping || offset > size) {
/* We overload EFAULT to mean page got truncated */
ret = -EFAULT;
goto out_unlock;
}

/* page is wholly or partially inside EOF */
if (((page->index + 1) << PAGE_SHIFT) > size)
if (offset > size - PAGE_SIZE)
length = offset_in_page(size);
else
length = PAGE_SIZE;

offset = page_offset(page);
while (length > 0) {
ret = iomap_apply(inode, offset, length,
IOMAP_WRITE | IOMAP_FAULT, ops, page,
Expand Down

0 comments on commit add66fc

Please sign in to comment.