From: "Darrick J. Wong" <djwong@kernel.org>
To: Chris Mason <clm@meta.com>
Cc: miklos@szeredi.hu, joannelkoong@gmail.com, bernd@bsbernd.com,
neal@gompa.dev, linux-ext4@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH 24/31] fuse: implement inline data file IO via iomap
Date: Thu, 5 Feb 2026 18:27:10 -0800 [thread overview]
Message-ID: <20260206022710.GI7686@frogsfrogsfrogs> (raw)
In-Reply-To: <20260205190206.1890644-1-clm@meta.com>
On Thu, Feb 05, 2026 at 11:01:07AM -0800, Chris Mason wrote:
> "Darrick J. Wong" <djwong@kernel.org> wrote:
> > From: Darrick J. Wong <djwong@kernel.org>
> >
> > Implement inline data file IO by issuing FUSE_READ/FUSE_WRITE commands
> > in response to an inline data mapping.
>
> Hi everyone,
>
> I'm trying out my AI review prompts on a few more trees, and I ran it
> on the fuse-iomap-cache branch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux.git/log/?h=fuse-iomap-cache
>
> This was the latest email lore could find, apologies if I grabbed the wrong one.
>
> Hopefully the review below is useful, please let me know if there are places it
> has gone wildly wrong. I kept the header to make it obvious exactly which
> commit I'd run through:
>
> commit 1263eae0852acb1359182377ad94d570701e2274
> Author: Darrick J. Wong <djwong@kernel.org>
>
> fuse: implement inline data file IO via iomap
>
> Implement inline data file IO by issuing FUSE_READ/FUSE_WRITE commands
> in response to an inline data mapping.
>
> > diff --git a/fs/fuse/fuse_iomap.c b/fs/fuse/fuse_iomap.c
> > --- a/fs/fuse/fuse_iomap.c
> > +++ b/fs/fuse/fuse_iomap.c
> > @@ -398,6 +398,150 @@ fuse_iomap_find_dev(struct fuse_conn *fc, const struct fuse_iomap_io *map)
> > return ret;
> > }
> >
> > +/*
> > + * Use the FUSE_READ command to read inline file data from the fuse server.
> > + * Note that there's no file handle attached, so the fuse server must be able
> > + * to reconnect to the inode via the nodeid.
> > + */
> > +static int fuse_iomap_inline_read(struct inode *inode, loff_t pos,
> > + loff_t count, struct iomap *iomap)
> > +{
> > + struct fuse_read_in in = {
> > + .offset = pos,
> > + .size = count,
> > + };
> > + struct fuse_inode *fi = get_fuse_inode(inode);
> > + struct fuse_mount *fm = get_fuse_mount(inode);
> > + FUSE_ARGS(args);
> > + ssize_t ret;
> > +
> > + if (BAD_DATA(!iomap_inline_data_valid(iomap)))
> > + return -EFSCORRUPTED;
>
> Does this code leak memory when the BAD_DATA check fails? Looking at
> the call chain:
>
> fuse_iomap_set_inline()->fuse_iomap_inline_alloc() allocates
> iomap->inline_data via kvzalloc. If the iomap_inline_data_valid check
> fails (i.e., iomap->length > PAGE_SIZE - offset_in_page(iomap->inline_data)),
> the function returns -EFSCORRUPTED without freeing iomap->inline_data.
>
> Other error paths in this function (around the fuse_simple_request call)
> properly call fuse_iomap_inline_free(iomap) before returning errors.
>
> The caller fuse_iomap_set_inline doesn't clean up iomap->inline_data on
> error in the read path (line 538: 'if (err) return err;'), so the
> allocation is leaked when a FUSE server returns an IOMAP_INLINE mapping
> with length > PAGE_SIZE.
Yep, it does leak the ioend and the bio. I'll amend this to call
fuse_iomap_inline_free on its way out.
> > +
> > + args.opcode = FUSE_READ;
> > + args.nodeid = fi->nodeid;
> > + args.in_numargs = 1;
> > + args.in_args[0].size = sizeof(in);
> > + args.in_args[0].value = ∈
> > + args.out_argvar = true;
> > + args.out_numargs = 1;
> > + args.out_args[0].size = count;
> > + args.out_args[0].value = iomap_inline_data(iomap, pos);
> > +
> > + ret = fuse_simple_request(fm, &args);
> > + if (ret < 0) {
> > + fuse_iomap_inline_free(iomap);
> > + return ret;
> > + }
> > + /* no readahead means something bad happened */
> > + if (ret == 0) {
> > + fuse_iomap_inline_free(iomap);
> > + return -EIO;
> > + }
> > +
> > + return 0;
> > +}
>
> [ ... ]
>
> > @@ -511,8 +663,28 @@ static int fuse_iomap_end(struct inode *inode, loff_t pos, loff_t count,
> > {
> > struct fuse_inode *fi = get_fuse_inode(inode);
> > struct fuse_mount *fm = get_fuse_mount(inode);
> > + struct iomap_iter *iter = container_of(iomap, struct iomap_iter, iomap);
> > + struct iomap *srcmap = &iter->srcmap;
>
> Can this container_of usage corrupt memory? Looking at
> fuse_iomap_writeback_range, it calls fuse_iomap_end with &write_iomap,
> which is a stack-local struct iomap variable (not embedded in an
> iomap_iter):
>
> fuse_iomap_writeback_range()
> struct iomap write_iomap = { };
> ...
> fuse_iomap_end(inode, offset, len, 0,
> FUSE_IOMAP_OP_WRITEBACK, &write_iomap);
>
> The container_of macro computes an invalid pointer by subtracting the
> offset of the iomap member from the address, resulting in iter pointing
> to garbage memory on the stack. Subsequently, accessing iter->srcmap
> reads from invalid memory, potentially causing undefined behavior or
> crashes.
>
> The iomap core calls fuse_iomap_end via fuse_iomap_ops where iomap IS
> properly embedded in iomap_iter, but the direct call from
> fuse_iomap_writeback_range violates this assumption.
Oops, that's a severe bug. fuse_iomap_writeback_range should indeed
define a whole iomap_iter instead of just the iomap. I'll fix that,
thanks for pointing out these bugs.
--D
next prev parent reply other threads:[~2026-02-06 2:27 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20251029002755.GK6174@frogsfrogsfrogs>
[not found] ` <176169810144.1424854.11439355400009006946.stgit@frogsfrogsfrogs>
[not found] ` <176169810371.1424854.3010195280915622081.stgit@frogsfrogsfrogs>
2026-01-21 19:34 ` [PATCH 01/31] fuse: implement the basic iomap mechanisms Joanne Koong
2026-01-21 22:45 ` Darrick J. Wong
2026-01-22 0:06 ` Joanne Koong
2026-01-22 0:34 ` Darrick J. Wong
2026-02-05 19:22 ` Chris Mason
2026-02-05 23:31 ` Darrick J. Wong
[not found] ` <176169810415.1424854.10373764649459618752.stgit@frogsfrogsfrogs>
2026-01-21 23:42 ` [PATCH 03/31] fuse: make debugging configurable at runtime Joanne Koong
2026-01-22 0:02 ` Darrick J. Wong
2026-01-22 0:23 ` Joanne Koong
2026-01-22 0:40 ` Darrick J. Wong
[not found] ` <176169810502.1424854.13869957103489591272.stgit@frogsfrogsfrogs>
2026-01-22 1:13 ` [PATCH 07/31] fuse: create a per-inode flag for toggling iomap Joanne Koong
2026-01-22 22:22 ` Darrick J. Wong
2026-01-23 18:05 ` Joanne Koong
2026-01-24 16:54 ` Darrick J. Wong
2026-01-27 23:33 ` Darrick J. Wong
[not found] ` <176169810568.1424854.4073875923015322741.stgit@frogsfrogsfrogs>
2026-01-22 2:07 ` [PATCH 10/31] fuse: implement basic iomap reporting such as FIEMAP and SEEK_{DATA,HOLE} Joanne Koong
2026-01-22 22:31 ` Darrick J. Wong
[not found] ` <176169810612.1424854.16053093294573829123.stgit@frogsfrogsfrogs>
2026-01-23 18:56 ` [PATCH 12/31] fuse: implement direct IO with iomap Joanne Koong
2026-01-26 23:46 ` Darrick J. Wong
2026-02-05 19:19 ` Chris Mason
2026-02-06 2:08 ` Darrick J. Wong
2026-02-06 2:52 ` Chris Mason
2026-02-06 5:08 ` Darrick J. Wong
2026-02-06 14:27 ` Chris Mason
[not found] ` <176169810700.1424854.5753715202341698632.stgit@frogsfrogsfrogs>
2026-01-23 21:50 ` [PATCH 16/31] fuse: implement large folios for iomap pagecache files Joanne Koong
[not found] ` <176169810721.1424854.6150447623894591900.stgit@frogsfrogsfrogs>
2026-01-26 22:03 ` [PATCH 17/31] fuse: use an unrestricted backing device with iomap pagecache io Joanne Koong
2026-01-26 23:55 ` Darrick J. Wong
2026-01-27 1:35 ` Joanne Koong
2026-01-27 2:09 ` Darrick J. Wong
2026-01-27 18:04 ` Joanne Koong
2026-01-27 23:37 ` Darrick J. Wong
2026-01-27 0:59 ` [PATCHSET v6 4/8] fuse: allow servers to use iomap for better file IO performance Joanne Koong
2026-01-27 2:22 ` Darrick J. Wong
2026-01-27 19:47 ` Joanne Koong
2026-01-27 23:21 ` Darrick J. Wong
2026-01-28 0:10 ` Joanne Koong
2026-01-28 0:34 ` Darrick J. Wong
2026-01-29 1:12 ` Joanne Koong
2026-01-29 20:02 ` Darrick J. Wong
2026-01-29 22:41 ` Darrick J. Wong
2026-01-29 22:50 ` Joanne Koong
2026-01-29 23:12 ` Darrick J. Wong
[not found] ` <176169810980.1424854.10557015500766654898.stgit@frogsfrogsfrogs>
2026-02-05 18:57 ` [PATCH 29/31] fuse: disable direct reclaim for any fuse server that uses iomap Chris Mason
2026-02-06 4:25 ` Darrick J. Wong
[not found] ` <176169810874.1424854.5037707950055785011.stgit@frogsfrogsfrogs>
2026-02-05 19:01 ` [PATCH 24/31] fuse: implement inline data file IO via iomap Chris Mason
2026-02-06 2:27 ` Darrick J. Wong [this message]
[not found] ` <176169810765.1424854.10969346031644824992.stgit@frogsfrogsfrogs>
2026-02-05 19:07 ` [PATCH 19/31] fuse: query filesystem geometry when using iomap Chris Mason
2026-02-06 2:17 ` Darrick J. Wong
[not found] ` <176169810656.1424854.15239592653019383193.stgit@frogsfrogsfrogs>
2026-02-05 19:12 ` [PATCH 14/31] fuse: implement buffered IO with iomap Chris Mason
2026-02-06 2:14 ` Darrick J. Wong
[not found] ` <176169810634.1424854.13084435884326863405.stgit@frogsfrogsfrogs>
2026-02-05 19:16 ` [PATCH 13/31] fuse_trace: implement direct " Chris Mason
2026-02-06 2:12 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260206022710.GI7686@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=bernd@bsbernd.com \
--cc=clm@meta.com \
--cc=joannelkoong@gmail.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=neal@gompa.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox