From: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Mon, 20 Apr 2026 03:46:12 +0000 (+0800)
Subject: erofs: fix offset truncation when shifting pgoff on 32-bit platforms
X-Git-Tag: v7.1-rc1~58^2~1
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c99493ce409c3b98fec1616dbcf24c102e006deb;p=thirdparty%2Flinux.git

erofs: fix offset truncation when shifting pgoff on 32-bit platforms

On 32-bit platforms, pgoff_t is 32 bits wide, so left-shifting
large arbitrary pgoff_t values by PAGE_SHIFT performs 32-bit arithmetic
and silently truncates the result for pages beyond the 4 GiB boundary.

Cast the page index to loff_t before shifting to produce a correct
64-bit byte offset.

Fixes: 386292919c25 ("erofs: introduce readmore decompression strategy")
Fixes: 307210c262a2 ("erofs: verify metadata accesses for file-backed mounts")
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---

diff --git a/fs/erofs/data.c b/fs/erofs/data.c
index 132a27deb2f3..b2c12c5856ac 100644
--- a/fs/erofs/data.c
+++ b/fs/erofs/data.c
@@ -39,7 +39,7 @@ void *erofs_bread(struct erofs_buf *buf, erofs_off_t offset, bool need_kmap)
 	 * However, the data access range must be verified here in advance.
 	 */
 	if (buf->file) {
-		fpos = index << PAGE_SHIFT;
+		fpos = (loff_t)index << PAGE_SHIFT;
 		err = rw_verify_area(READ, buf->file, &fpos, PAGE_SIZE);
 		if (err < 0)
 			return ERR_PTR(err);
diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index 8a0b15511931..43bb5a6a9924 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1872,7 +1872,7 @@ static void z_erofs_pcluster_readmore(struct z_erofs_frontend *f,
 
 		if (cur < PAGE_SIZE)
 			break;
-		cur = (index << PAGE_SHIFT) - 1;
+		cur = ((loff_t)index << PAGE_SHIFT) - 1;
 	}
 }