Re: [PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Junrui Luo]

Hi Gao Xiang,

Thank you for the review.
 
On Thu, Apr 09, 2026 at 03:28:21PM +0800, Gao Xiang wrote:

> For this kind of stuff, do you have a reproducer?

I constructed a crafted EROFS image declaring plen=8192 and i_size=4096, giving
inpages=2 and outpages=1. Tested under QEMU with kernel (v7.0-rc6) plus a temporary
pr_warn trace in z_erofs_lz4_handle_overlap():

[   12.889652] erofs: BOUNDARY CHECK: outpages=1 < inpages=2

The image mounts and the decompressor is reached with
partial_decoding=false and outpages < inpages.

> I'm not sure what you're saying, but I don't think
> you really understand the entire logic.
> 
> `m_la + m_llen` should not be page-aligned for typical
> erofs images, you can just mkfs.erofs -zlz4hc with some
> file and check it yourself.
> 
> BTW, I just check upstream, and the inplace branch
> works prefectly.

During testing I observed that the inplace branch was not entered with
my crafted image and incorrectly concluded it was structurally unreachable.
I apologize for the incorrect analysis.

Later, I crafted another image :

	COMPRESSED_FULL layout, h_advise=0x0007 (32-byte extents)
	feature_compat=0, 5 blocks total

	Extent 0: lstart=0,    pstart=4096,  plen=8192 (LZ4)
	Extent 1: lstart=2000, pstart=12288, plen=4096 (LZ4)
	i_size=4096
	Block 0: superblock + inodes + extent records
	Block 1-2: extent 0 compressed data (non-zero padded)
	Block 3: extent 1 compressed data
	Block 4: padding

Mounted with cache_strategy=disabled, reading the file triggers:

[   11.454290] BUG: unable to handle page fault for address: ffffed1100fecf57
[   11.459901] Oops: Oops: 0000 [#1] SMP KASAN NOPTI
[   11.466542] RIP: 0010:z_erofs_lz4_decompress+0x888/0x10f0

Thanks,
Junrui Luo