From 08655e8aab1ef283a886a71f25f577749f5564ba Mon Sep 17 00:00:00 2001
From: riastradh <riastradh@NetBSD.org>
Date: Sat, 29 Apr 2023 08:13:27 +0000
Subject: [PATCH] tmpfs: Refuse sizes that overflow round_page.

Reported-by: syzbot+8dbeee84de15f86df65b@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=4a27b9fe074f8d4b0afbe22969339b8dfdb157e8
---
 sys/fs/tmpfs/tmpfs_subr.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sys/fs/tmpfs/tmpfs_subr.c b/sys/fs/tmpfs/tmpfs_subr.c
index f3fb6a97b759..bda7db3d7289 100644
--- a/sys/fs/tmpfs/tmpfs_subr.c
+++ b/sys/fs/tmpfs/tmpfs_subr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: tmpfs_subr.c,v 1.115 2023/04/29 06:29:55 riastradh Exp $	*/
+/*	$NetBSD: tmpfs_subr.c,v 1.116 2023/04/29 08:13:27 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2005-2020 The NetBSD Foundation, Inc.
@@ -73,7 +73,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tmpfs_subr.c,v 1.115 2023/04/29 06:29:55 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tmpfs_subr.c,v 1.116 2023/04/29 08:13:27 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/cprng.h>
@@ -907,6 +907,9 @@ tmpfs_reg_resize(struct vnode *vp, off_t newsize)
 	KASSERT(vp->v_type == VREG);
 	KASSERT(newsize >= 0);
 
+	if (newsize > __type_max(off_t) - PAGE_SIZE + 1)
+		return EFBIG;
+
 	oldsize = node->tn_size;
 	oldpages = round_page(oldsize) >> PAGE_SHIFT;
 	newpages = round_page(newsize) >> PAGE_SHIFT;