Patch "erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF" has been added to the 5.10-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     erofs-avoid-infinite-loop-in-z_erofs_do_read_page-wh.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ab418c2e4ce893c2f6c065ff11c691b4fa2419ee
Author: Chunhai Guo <guochunhai@xxxxxxxx>
Date:   Mon Jul 10 17:34:10 2023 +0800

    erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF
    
    [ Upstream commit 8191213a5835b0317c5e4d0d337ae1ae00c75253 ]
    
    z_erofs_do_read_page() may loop infinitely due to the inappropriate
    truncation in the below statement. Since the offset is 64 bits and min_t()
    truncates the result to 32 bits. The solution is to replace unsigned int
    with a 64-bit type, such as erofs_off_t.
        cur = end - min_t(unsigned int, offset + end - map->m_la, end);
    
        - For example:
            - offset = 0x400160000
            - end = 0x370
            - map->m_la = 0x160370
            - offset + end - map->m_la = 0x400000000
            - offset + end - map->m_la = 0x00000000 (truncated as unsigned int)
        - Expected result:
            - cur = 0
        - Actual result:
            - cur = 0x370
    
    Signed-off-by: Chunhai Guo <guochunhai@xxxxxxxx>
    Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
    Reviewed-by: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx>
    Reviewed-by: Chao Yu <chao@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230710093410.44071-1-guochunhai@xxxxxxxx
    Signed-off-by: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index 8cb2cf612e49b..9cff927382599 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -629,7 +629,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe,
 	tight &= (clt->mode >= COLLECT_PRIMARY_HOOKED &&
 		  clt->mode != COLLECT_PRIMARY_FOLLOWED_NOINPLACE);
 
-	cur = end - min_t(unsigned int, offset + end - map->m_la, end);
+	cur = end - min_t(erofs_off_t, offset + end - map->m_la, end);
 	if (!(map->m_flags & EROFS_MAP_MAPPED)) {
 		zero_user_segment(page, cur, end);
 		goto next_part;