iomap: Fix overflow in iomap_page_mkwrite (add66fcb) · Commits · 戴 / test

On architectures where loff_t is wider than pgoff_t, the expression ((page->index + 1) << PAGE_SHIFT) can overflow. Rewrite to use the page offset, which we already compute here anyway. Signed-off-by:

Andreas Gruenbacher <agruenba@redhat.com> Reviewed-by:

Christoph Hellwig <hch@lst.de> Reviewed-by:

Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by:

Darrick J. Wong <darrick.wong@oracle.com>

fs/iomap/buffered-io.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -1067,20 +1067,19 @@ vm_fault_t iomap_page_mkwrite(struct vm_fault vmf, const struct iomap_ops ops)

		lock_page(page);
		size = i_size_read(inode);
		if ((page->mapping != inode->i_mapping) \|\|
		(page_offset(page) > size)) {
		offset = page_offset(page);
		if (page->mapping != inode->i_mapping \|\| offset > size) {
		/* We overload EFAULT to mean page got truncated */
		ret = -EFAULT;
		goto out_unlock;
		}

		/* page is wholly or partially inside EOF */
		if (((page->index + 1) << PAGE_SHIFT) > size)
		if (offset > size - PAGE_SIZE)
		length = offset_in_page(size);
		else
		length = PAGE_SIZE;

		offset = page_offset(page);
		while (length > 0) {
		ret = iomap_apply(inode, offset, length,
		IOMAP_WRITE \| IOMAP_FAULT, ops, page,

Admin message