* [PATCH] fuse: fix writeback array overflow when max_pages is one
@ 2026-05-06 12:24 Junxi Qian
2026-05-07 15:49 ` Miklos Szeredi
2026-05-11 10:38 ` Christian Brauner
0 siblings, 2 replies; 3+ messages in thread
From: Junxi Qian @ 2026-05-06 12:24 UTC (permalink / raw)
To: linux-fsdevel; +Cc: Miklos Szeredi, Greg KH, Joanne Koong
fuse_iomap_writeback_range() appends one folio pointer and one
fuse_folio_desc for every dirty range that is merged into the current
writeback request. The merge decision checks the byte budget against
fc->max_pages and fc->max_write, but it does not check whether the folio
and descriptor arrays still have another free slot.
This is not sufficient for fuseblk, where the filesystem block size can
be smaller than PAGE_SIZE. With writeback cache enabled and max_pages
negotiated as one, contiguous sub-page dirty ranges can fit within the
byte budget while spanning more than one folio. The next append can then
write past the one-slot folios and descs arrays.
Split the request when the number of already attached folios has reached
fc->max_pages. This keeps the folio/descriptor slot accounting in sync
with the send decision.
Fixes: ef7e7cbb323f ("fuse: use iomap for writeback")
Cc: stable@vger.kernel.org
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
---
fs/fuse/file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index c59452d60..f94f3dc08 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2176,7 +2176,10 @@ static bool fuse_folios_need_send(struct fuse_conn *fc, loff_t pos,
WARN_ON(!ap->num_folios);
- /* Reached max pages */
+ /* Reached max pages or max folio slots */
+ if (ap->num_folios >= fc->max_pages)
+ return true;
+
if (DIV_ROUND_UP(bytes, PAGE_SIZE) > fc->max_pages)
return true;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] fuse: fix writeback array overflow when max_pages is one
2026-05-06 12:24 [PATCH] fuse: fix writeback array overflow when max_pages is one Junxi Qian
@ 2026-05-07 15:49 ` Miklos Szeredi
2026-05-11 10:38 ` Christian Brauner
1 sibling, 0 replies; 3+ messages in thread
From: Miklos Szeredi @ 2026-05-07 15:49 UTC (permalink / raw)
To: Christian Brauner; +Cc: linux-fsdevel, Greg KH, Joanne Koong, Junxi Qian
On Wed, 6 May 2026 at 14:24, Junxi Qian <qjx1298677004@gmail.com> wrote:
>
> fuse_iomap_writeback_range() appends one folio pointer and one
> fuse_folio_desc for every dirty range that is merged into the current
> writeback request. The merge decision checks the byte budget against
> fc->max_pages and fc->max_write, but it does not check whether the folio
> and descriptor arrays still have another free slot.
>
> This is not sufficient for fuseblk, where the filesystem block size can
> be smaller than PAGE_SIZE. With writeback cache enabled and max_pages
> negotiated as one, contiguous sub-page dirty ranges can fit within the
> byte budget while spanning more than one folio. The next append can then
> write past the one-slot folios and descs arrays.
>
> Split the request when the number of already attached folios has reached
> fc->max_pages. This keeps the folio/descriptor slot accounting in sync
> with the send decision.
>
> Fixes: ef7e7cbb323f ("fuse: use iomap for writeback")
> Cc: stable@vger.kernel.org
> Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
> Signed-off-by: Junxi Qian <qjx1298677004@gmail.com>
Acked-by: Miklos Szeredi <mszeredi@redhat.com>
Christian, can you please apply this?
Thanks,
Miklos
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] fuse: fix writeback array overflow when max_pages is one
2026-05-06 12:24 [PATCH] fuse: fix writeback array overflow when max_pages is one Junxi Qian
2026-05-07 15:49 ` Miklos Szeredi
@ 2026-05-11 10:38 ` Christian Brauner
1 sibling, 0 replies; 3+ messages in thread
From: Christian Brauner @ 2026-05-11 10:38 UTC (permalink / raw)
To: linux-fsdevel, Junxi Qian
Cc: Christian Brauner, Miklos Szeredi, Greg KH, Joanne Koong
On Wed, 06 May 2026 20:24:15 +0800, Junxi Qian wrote:
> fuse_iomap_writeback_range() appends one folio pointer and one
> fuse_folio_desc for every dirty range that is merged into the current
> writeback request. The merge decision checks the byte budget against
> fc->max_pages and fc->max_write, but it does not check whether the folio
> and descriptor arrays still have another free slot.
>
> This is not sufficient for fuseblk, where the filesystem block size can
> be smaller than PAGE_SIZE. With writeback cache enabled and max_pages
> negotiated as one, contiguous sub-page dirty ranges can fit within the
> byte budget while spanning more than one folio. The next append can then
> write past the one-slot folios and descs arrays.
>
> [...]
Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes
[1/1] fuse: fix writeback array overflow when max_pages is one
https://git.kernel.org/vfs/vfs/c/fde8a3147d3b
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-11 10:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-06 12:24 [PATCH] fuse: fix writeback array overflow when max_pages is one Junxi Qian
2026-05-07 15:49 ` Miklos Szeredi
2026-05-11 10:38 ` Christian Brauner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox