From: Marco Nelissen <marco.nelissen@gmail.com> mainline inclusion from mainline-v6.13 commit f505e6c91e7a22d10316665a86d79f84d9f0ba76 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBJXF6 CVE: CVE-2025-21665 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. Link: https://lkml.kernel.org/r/20250102190540.1356838-1-marco.nelissen@gmail.com Fixes: 54fa39ac2e00 ("iomap: use mapping_seek_hole_data") Signed-off-by: Marco Nelissen <marco.nelissen@gmail.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Conflicts: mm/filemap.c [context conflicts, becasuse this code branch does not have folio_seek_hole_data()] Signed-off-by: Kaixiong Yu <yukaixiong@huawei.com> Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com> --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/filemap.c b/mm/filemap.c index c8863a76d531..18e304ce6229 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2765,7 +2765,7 @@ static inline loff_t page_seek_hole_data(struct xa_state *xas, do { if (ops->is_partially_uptodate(page, offset, bsz) == seek_data) break; - start = (start + bsz) & ~(bsz - 1); + start = (start + bsz) & ~((u64)bsz - 1); offset += bsz; } while (offset < thp_size(page)); unlock: -- 2.43.0