Re: [PATCH 6.18.y v2] fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Breno Leitao <leitao@debian.org>
To: Vlad Poenaru <vlad.wing@gmail.com>
Cc: stable@vger.kernel.org, gregkh@linuxfoundation.org,
	miklos@szeredi.hu,  joannelkoong@gmail.com,
	linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 6.18.y v2] fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0
Date: Wed, 20 May 2026 04:40:49 -0700	[thread overview]
Message-ID: <ag2dqkvYw6cKntDs@gmail.com> (raw)
In-Reply-To: <20260519174816.3983940-1-vlad.wing@gmail.com>

On Tue, May 19, 2026 at 10:48:16AM -0700, Vlad Poenaru wrote:
> [ Upstream commit 4ea907108a5c ("fuse: use iomap for readahead") ]
> 
> The upstream fix is the iomap conversion in commit 4ea907108a5c
> ("fuse: use iomap for readahead"), which rewrote fuse_readahead()
> entirely and removed the buggy loop along with it.  That refactor
> is too invasive to backport to the pre-iomap readahead path still
> used by 6.18.y (and earlier stable branches), so this is a minimal,
> equivalent fix to the same bug on those branches.
> 
> When fc->max_read is smaller than PAGE_SIZE (common on aarch64 with
> 64K base pages if the FUSE server advertises a small max_read in INIT),
> max_pages = min(fc->max_pages, fc->max_read / PAGE_SIZE) is 0, so
> cur_pages is 0 on every outer iteration.
> 
> fuse_io_alloc(NULL, 0) then calls fuse_folios_alloc(0, ...), which
> calls kzalloc(0, ...) and gets back ZERO_SIZE_PTR == (void *)16.
> The "if (!ia->ap.folios)" guard in fuse_io_alloc does not catch
> ZERO_SIZE_PTR, so fuse_io_alloc happily returns an ia whose
> ap.folios is 0x10.
> 
> The inner "while (pages < cur_pages)" loop runs zero times, then
> fuse_send_readpages(ia, ...) dereferences ap->folios[0] in
> folio_pos(), faulting at virtual address 0x10:
> 
>   Unable to handle kernel NULL pointer dereference at virtual address
>   0000000000000010
>    fuse_readahead+0x14c/0x490
>    read_pages+0x80/0x318
>    page_cache_ra_unbounded+0x1c0/0x2b0
>    page_cache_ra_order+0xb8/0x368
>    page_cache_sync_ra+0x210/0x320
>    filemap_get_pages+0x290/0xdb0
>    generic_file_read_iter+0xd0/0x540
>    fuse_file_read_iter+0x8c/0x158
>    __arm64_sys_read+0x1a0/0x488
> 
> addr2line on the aarch64 vmlinux maps fuse_readahead+0x14c to
> fs/fuse/file.c:897 inlined into :999, i.e. "folio_pos(ap->folios[0])"
> inside fuse_send_readpages.  The faulting instruction "ldr x8, [x8]"
> loads ap->folios[0]; ap->folios was previously loaded as 0x10
> (ZERO_SIZE_PTR).
> 
> Without this fix the function would also spin forever, since
> "nr_pages -= pages" makes no progress when pages stays 0; in practice
> the NULL deref masks the spin.
> 
> Bail out of the outer loop if cur_pages is 0 -- there is no work we
> can issue via FUSE in this iteration, and remaining folios will be
> handled by read_pages() falling back to ->read_folio.
> 
> Fixes: 3eab9d7bc2f4 ("fuse: convert readahead to use folios")
> Reported-by: Breno Leitao <leitao@debian.org>
> Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
> Signed-off-by: Vlad Poenaru <vlad.wing@gmail.com>

Thanks for the fix, Vlad.

Acked-by: Breno Leitao <leitao@debian.org>

     prev parent reply	other threads:[~2026-05-20 11:41 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-18 18:26 [PATCH 6.18.y] fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0 Vlad Poenaru
2026-05-18 18:34 ` Joanne Koong
2026-05-18 18:50 ` Greg KH
2026-05-19 17:48 ` [PATCH 6.18.y v2] " Vlad Poenaru
2026-05-20  0:54   ` Sasha Levin
2026-05-20 11:40   ` Breno Leitao [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ag2dqkvYw6cKntDs@gmail.com \
    --to=leitao@debian.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=joannelkoong@gmail.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=stable@vger.kernel.org \
    --cc=vlad.wing@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.