erofs: fix offset truncation when shifting pgoff on 32-bit platforms

hsiangkao · hsiangkao · commit c99493ce409c · 2026-04-21T16:56:08.000+08:00
On 32-bit platforms, pgoff_t is 32 bits wide, so left-shifting large arbitrary pgoff_t values by PAGE_SHIFT performs 32-bit arithmetic and silently truncates the result for pages beyond the 4 GiB boundary. Cast the page index to loff_t before shifting to produce a correct 64-bit byte offset. Fixes: 3862929 ("erofs: introduce readmore decompression strategy") Fixes: 307210c ("erofs: verify metadata accesses for file-backed mounts") Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
diff --git a/fs/erofs/data.c b/fs/erofs/data.c
@@ -39,7 +39,7 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offset, bool need_kmap)
 	 * However, the data access range must be verified here in advance.
 	 */
 	if (buf->file) {
-		fpos = index << PAGE_SHIFT;
+		fpos = (loff_t)index << PAGE_SHIFT;
 		err = rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE);
 		if (err < 0)
 			return ERR_PTR(err);
diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
@@ -1872,7 +1872,7 @@ static void z_erofs_pcluster_readmore(struct z_erofs_frontend *f,
 
 		if (cur < PAGE_SIZE)
 			break;
-		cur = (index << PAGE_SHIFT) - 1;
+		cur = ((loff_t)index << PAGE_SHIFT) - 1;
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1872,7 +1872,7 @@ static void z_erofs_pcluster_readmore(struct z_erofs_frontend *f,`
`1872`	`1872`
`1873`	`1873`	`if (cur < PAGE_SIZE)`
`1874`	`1874`	`break;`
`1875`		`- cur = (index << PAGE_SHIFT) - 1;`
	`1875`	`+ cur = ((loff_t)index << PAGE_SHIFT) - 1;`
`1876`	`1876`	`}`
`1877`	`1877`	`}`
`1878`	`1878`