From: Ryan Roberts Date: Fri, 3 Oct 2025 15:52:36 +0000 (+0100) Subject: fsnotify: pass correct offset to fsnotify_mmap_perm() X-Git-Tag: v6.18-rc1~12^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28bba2c2935e219d6cb6946e16b9a0b7c47913be;p=thirdparty%2Fkernel%2Fstable.git fsnotify: pass correct offset to fsnotify_mmap_perm() fsnotify_mmap_perm() requires a byte offset for the file about to be mmap'ed. But it is called from vm_mmap_pgoff(), which has a page offset. Previously the conversion was done incorrectly so let's fix it, being careful not to overflow on 32-bit platforms. Discovered during code review. Link: https://lkml.kernel.org/r/20251003155238.2147410-1-ryan.roberts@arm.com Fixes: 066e053fe208 ("fsnotify: add pre-content hooks on mmap()") Signed-off-by: Ryan Roberts Reviewed-by: Kiryl Shutsemau Cc: Amir Goldstein Cc: David Hildenbrand Cc: Liam Howlett Cc: Lorenzo Stoakes Cc: Michal Hocko Cc: Mike Rapoport Cc: Suren Baghdasaryan Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton --- diff --git a/mm/util.c b/mm/util.c index 6c1d64ed02211..8989d57675286 100644 --- a/mm/util.c +++ b/mm/util.c @@ -566,6 +566,7 @@ unsigned long vm_mmap_pgoff(struct file *file, unsigned long addr, unsigned long len, unsigned long prot, unsigned long flag, unsigned long pgoff) { + loff_t off = (loff_t)pgoff << PAGE_SHIFT; unsigned long ret; struct mm_struct *mm = current->mm; unsigned long populate; @@ -573,7 +574,7 @@ unsigned long vm_mmap_pgoff(struct file *file, unsigned long addr, ret = security_mmap_file(file, prot, flag); if (!ret) - ret = fsnotify_mmap_perm(file, prot, pgoff >> PAGE_SHIFT, len); + ret = fsnotify_mmap_perm(file, prot, off, len); if (!ret) { if (mmap_write_lock_killable(mm)) return -EINTR;