From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C89C53B1B4
	for <linux-kernel@vger.kernel.org>; Thu, 23 Apr 2026 12:56:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.45
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776949015; cv=none; b=toqRyvlOboPbimtEGrZaZl+uJJJHZtwGs5KCjr/7P1pLEv5LbERPtHuLYuiwQ45Rl4rtGuQsRnpdcXyXIyxq9BaYpFW9fPr6JxXpxw97gQa0C+OMJTNMKCQEvDMgrmI68Cv06J1QKLuVmyPvNS84BsimDdfBI+d+txytXxWmV2A=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776949015; c=relaxed/simple;
	bh=LaIDxrLj1cpoWrJPTSunk5EmcNLCjXmU+t5yxACHNi4=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dLOiVD54TEucVpT1j4teCFTW7H6rEi4xBHkUEShCef8dLTB1XV149cDfZRPAwEzMee6YZwN8v135ply5e1zZN4jjyEOb5v4xMVs1sgxlRWV3jJw+I5273h2FT1C9DSgutjG8pryu9I3UNpPITx7CCShiGvi6GwrC0KiEtmuacNc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NFuUFa2Z; arc=none smtp.client-ip=209.85.221.45
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NFuUFa2Z"
Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-43cf7683a28so4516146f8f.2
        for <linux-kernel@vger.kernel.org>; Thu, 23 Apr 2026 05:56:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776949012; x=1777553812; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=NjJs6otazK0pUFP+jX92LOI1+7WZI43Ax0BYsKol0z4=;
        b=NFuUFa2ZHXEWiF5WzuxHq+RWxNce+X5z7DC6WV51RyNXf0LLiPh5c1bgnLblK/+QeN
         mG6i/Bs/gI6W/JRo0ZlT4HlX4ooMV7AuV/19QHsE8OaPDLtkggnvd9/d3/sUXOw4mD9k
         qyIAGCPE8RVJMbSm6o+n2DV+aS4nxi2QUErZjqId3ypnZ+WzD8LYWiNWAHCIeduIqLnS
         3ePIOybxTKuPvtXrc5RDVBjhMvHVgzi1C7f5vn3ZOsP/jBQcrwtEPfgrfUXgAES4mOJN
         vgAa4wmvHxPuWBp9l+HezY0Y/uZbVhT+bu6hUzfb5cKeuHfAwccXuT2E4+yXUGXwMWQk
         tl+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776949012; x=1777553812;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=NjJs6otazK0pUFP+jX92LOI1+7WZI43Ax0BYsKol0z4=;
        b=TbBwu0lTP56E7nlUlkNHMH3Fp/kthDuS6X4o5ap//qTzMQcH5pehiYDl+slk2OukwN
         oezUiMXwjvze3IWbYqE6/fqzTiDRGgeeYgPWjIuK3XgKRaGE3NeBwnwy2RdBpHkmX5D0
         g7svlf5h+ApgDIkQZaXwJbCfw4fUUS1yg4mOBwE0cOw0OOUmmJMRHZAqaiTQ2nVoXwXs
         hQytUjDjGwhyMtLt01V5oAdUQ1muAHg3/3tIkPVao1/8XxcLBz88VASXO40W/eBm5WFL
         OCwAiQ54lHKWxSXVcfc2VKZwIYV3xQAwKAcXAYgYi0XNBmi0SRfgLA507fykVTRQ/3qL
         JAUQ==
X-Forwarded-Encrypted: i=1; AFNElJ+kmwJNezcFwK4p/y7duITJegj55hMCW83KjU+vb6HxfFFlLyPD7EmoeYquIL8zG1McPsZvNwxsLJSvJhU=@vger.kernel.org
X-Gm-Message-State: AOJu0YzqYzpryk2Dhyjlcas61QQVDI+zjRE7IGkSePstLYBJKTokgKlv
	dY5nH+glbT/WBM9oRrN795SZ5+zcW1Uhu5q2PrS1ZW59gM5BivhimUcI
X-Gm-Gg: AeBDievlmbhp3NQlIFn97XUQ3cfDrEdAPE8Oe4YhEy9XiGX7a4BATUHWQy8kXly3GeM
	2RKX9VYQkWQdGHe3vypNTodLCE8gdo8xv6aFVQludH2OuoDIsIZsgnHqwdxEa8S4WCLpiKI+h4n
	z6ajHVxqKEoeVTpLnKRfirxTosJVlZOiHdSEnGOFgUF4FcQPmWJwaKIyvOZ9f9i/gGBtMq8Jh83
	pNiJfMijt41mZ/fIYM32pUILPcw/zaO1iS1rq3DZxhSWKJoZPxtgyfxgWDx8aizPbP6y+e5iS/V
	VHCCUeiw/cc/qFirAbSMuvXwcBWLuZL86fRvxZuGuekUg8NsaL3agbwjbX7E4bcYf55MNhf9LrA
	+Eyr8Tov7LlVMLreBKGyS6M2vFrbaf9IWcjD+PlpeJRIRK28m5DewaPAzGp28qelIdjYtuBq5Kv
	nWvYgd0vcnS6vPOVZECxeLdZrAhjw3/ckgNlDppi2f8t8KH9QSjdZN8SMWgPPkvR9YtXB18D/Ks
	b94nztHSmg910D3cVBVBA==
X-Received: by 2002:a05:6000:2dc8:b0:43c:fbfa:20a0 with SMTP id ffacd0b85a97d-43fe3e077d4mr42391674f8f.25.1776949011962;
        Thu, 23 Apr 2026 05:56:51 -0700 (PDT)
Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4cb1405sm52887714f8f.4.2026.04.23.05.56.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 23 Apr 2026 05:56:51 -0700 (PDT)
From: David Carlier <devnexen@gmail.com>
To: akpm@linux-foundation.org
Cc: pratyush@kernel.org,
	pasha.tatashin@soleen.com,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	David Carlier <devnexen@gmail.com>
Subject: [PATCH 1/2] mm/memfd_luo: reject memfds whose page count exceeds UINT_MAX
Date: Thu, 23 Apr 2026 13:56:47 +0100
Message-ID: <20260423125648.152113-1-devnexen@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

memfd_luo_preserve_folios() declares max_folios as unsigned int and
computes it from the inode size, then passes it to memfd_pin_folios()
which itself caps max_folios at unsigned int.  For files whose base-page
count exceeds UINT_MAX (larger than 16 TiB with 4 KiB pages), the
assignment truncates silently: only a prefix of the file gets pinned and
preserved, while memfd_luo_preserve() still records the full inode size
in ser->size.  On retrieve the inode is restored to the full size but
only the preserved prefix repopulates the page cache, so the tail comes
back as holes and user data is silently lost across the live update.

Reject such files at preserve time with -EFBIG rather than chunk the
pin loop, which would also require enlarging the preserved folios array
well beyond what is practical.

Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd")
Signed-off-by: David Carlier <devnexen@gmail.com>
---
 mm/memfd_luo.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c
index b02b503c750d..f41d11053b7d 100644
--- a/mm/memfd_luo.c
+++ b/mm/memfd_luo.c
@@ -259,7 +259,7 @@ static int memfd_luo_preserve(struct liveupdate_file_op_args *args)
 	struct inode *inode = file_inode(args->file);
 	struct memfd_luo_folio_ser *folios_ser;
 	struct memfd_luo_ser *ser;
-	u64 nr_folios;
+	u64 nr_folios, inode_size;
 	int err = 0, seals;
 
 	inode_lock(inode);
@@ -285,7 +285,18 @@ static int memfd_luo_preserve(struct liveupdate_file_op_args *args)
 	}
 
 	ser->pos = args->file->f_pos;
-	ser->size = i_size_read(inode);
+	inode_size = i_size_read(inode);
+
+	/*
+	 * memfd_pin_folios() caps at UINT_MAX folios; refuse larger
+	 * files to avoid silently preserving only a prefix.
+	 */
+	if (DIV_ROUND_UP_ULL(inode_size, PAGE_SIZE) > UINT_MAX) {
+		err = -EFBIG;
+		goto err_free_ser;
+	}
+
+	ser->size = inode_size;
 	ser->seals = seals;
 
 	err = memfd_luo_preserve_folios(args->file, &ser->folios,
-- 
2.53.0