From nobody Tue Jun 16 12:42:44 2026 Received: from out30-113.freemail.mail.aliyun.com (out30-113.freemail.mail.aliyun.com [115.124.30.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F2C240DFCE for ; Mon, 20 Apr 2026 03:46:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.113 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776656789; cv=none; b=JzeX9ihOnHAtkWgHLtudgzh2yeW9SbjES8JgISgwadjOBGCBKS+/AP4eyJVtUVaayRoQIauYU60TXehTSzL0ow5CBJ54pgDVMwbYiJSy2hJgrFa5aeIdclBtf6sAEMxkrvQY1oPjo6lWPL6PAuY//f8kdj62ah+xKQVBspbT5pQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776656789; c=relaxed/simple; bh=4rLNxh/BdR54TSgEBUJUqbra9iXyuSsAzKHIfL/tjBk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Dln95+ca+8qBxgs0mSMVq5hgO7q3FPJJ6/ksuue9j7mzuTd/bT/JuiGCoNCu2d+5BdQbeMdgbpsWw5r0w1DK4/WX8WFIUKkpy5kTXJK6oTJHRBdzPjWRnC4q6tu/Obt7M0h5J6F6qLqnnI8Ctpyy7hAHV+p6GpgCzUBQ/fiKeqs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=PrhmZEfp; arc=none smtp.client-ip=115.124.30.113 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="PrhmZEfp" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1776656777; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=C109QfEFhqbV1nVa29ooezzco+8hIG296HCXJnwniwg=; b=PrhmZEfpkdrpxddN4ZHH8F5ViDuupOL5F/3OjZDgdZM1hfYlmcj6g6XbQ4OQe+ryXoRtvs//aMOD0X63BKqNft5ep7Aq/e3+jBWY8XvrTvlS5HqviJE8/ThM1tlUOCdlR6Yv6sc/1aeIrHZmM1NRAJIaXIsWuTsBlASg0vsi5Vw= X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R841e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033037033178;MF=hsiangkao@linux.alibaba.com;NM=1;PH=DS;RN=4;SR=0;TI=SMTPD_---0X1GxfIW_1776656773; Received: from x31i01179.sqa.na131.tbsite.net(mailfrom:hsiangkao@linux.alibaba.com fp:SMTPD_---0X1GxfIW_1776656773 cluster:ay36) by smtp.aliyun-inc.com; Mon, 20 Apr 2026 11:46:17 +0800 From: Gao Xiang To: linux-erofs@lists.ozlabs.org Cc: LKML , oliver.yang@linux.alibaba.com, Gao Xiang Subject: [PATCH] erofs: fix offset truncation when shifting pgoff on 32-bit platforms Date: Mon, 20 Apr 2026 11:46:12 +0800 Message-ID: <20260420034612.1899973-1-hsiangkao@linux.alibaba.com> X-Mailer: git-send-email 2.43.5 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On 32-bit platforms, pgoff_t is 32 bits wide, so left-shifting large arbitrary pgoff_t values by PAGE_SHIFT performs 32-bit arithmetic and silently truncates the result for pages beyond the 4 GiB boundary. Cast the page index to loff_t before shifting to produce a correct 64-bit byte offset. Fixes: 386292919c25 ("erofs: introduce readmore decompression strategy") Fixes: 307210c262a2 ("erofs: verify metadata accesses for file-backed mount= s") Signed-off-by: Gao Xiang Reviewed-by: Chao Yu --- fs/erofs/data.c | 2 +- fs/erofs/zdata.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/erofs/data.c b/fs/erofs/data.c index 132a27deb2f3..b2c12c5856ac 100644 --- a/fs/erofs/data.c +++ b/fs/erofs/data.c @@ -39,7 +39,7 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offs= et, bool need_kmap) * However, the data access range must be verified here in advance. */ if (buf->file) { - fpos =3D index << PAGE_SHIFT; + fpos =3D (loff_t)index << PAGE_SHIFT; err =3D rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE); if (err < 0) return ERR_PTR(err); diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c index 8a0b15511931..43bb5a6a9924 100644 --- a/fs/erofs/zdata.c +++ b/fs/erofs/zdata.c @@ -1872,7 +1872,7 @@ static void z_erofs_pcluster_readmore(struct z_erofs_= frontend *f, =20 if (cur < PAGE_SIZE) break; - cur =3D (index << PAGE_SHIFT) - 1; + cur =3D ((loff_t)index << PAGE_SHIFT) - 1; } } =20 --=20 2.43.5