* Re: [PATCH v1] iomap: fix invalid folio access when i_blkbits differs from I/O granularity
[not found] <20260317203935.830549-1-joannelkoong@gmail.com>
@ 2026-03-17 20:55 ` Joanne Koong
0 siblings, 0 replies; only message in thread
From: Joanne Koong @ 2026-03-17 20:55 UTC (permalink / raw)
To: brauner; +Cc: djwong, hch, willy, Johannes Thumshirn, stable, linux-fsdevel
On Tue, Mar 17, 2026 at 1:47 PM Joanne Koong <joannelkoong@gmail.com> wrote:
>
> Commit aa35dd5cbc06 ("iomap: fix invalid folio access after
> folio_end_read()") partially addressed invalid folio access for folios
> without an ifs attached, but it did not handle the case where
> 1 << inode->i_blkbits matches the folio size but is different from the
> granularity used for the IO, which means IO can be submitted for less
> than the full folio for the !ifs case.
>
> In this case, the condition:
>
> if (*bytes_submitted == folio_len)
> ctx->cur_folio = NULL;
>
> in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and
> iomap_read_end() will still be called on the folio even though the IO
> helper owns it and will finish the read on it.
>
> Fix this by unconditionally invalidating ctx->cur_folio for the !ifs
> case.
>
> Reported-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> Tested-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> Link: https://lore.kernel.org/linux-fsdevel/b3dfe271-4e3d-4922-b618-e73731242bca@wdc.com/
> Fixes: b2f35ac4146d ("iomap: add caller-provided callbacks for read and readahead")
> Cc: stable@vger.kernel.org
> Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
> ---
> fs/iomap/buffered-io.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
> index 3cf93ab2e38a..e4b6886e5c3c 100644
> --- a/fs/iomap/buffered-io.c
> +++ b/fs/iomap/buffered-io.c
> @@ -514,6 +514,7 @@ static int iomap_read_folio_iter(struct iomap_iter *iter,
> loff_t length = iomap_length(iter);
> struct folio *folio = ctx->cur_folio;
> size_t folio_len = folio_size(folio);
> + struct iomap_folio_state *ifs;
> size_t poff, plen;
> loff_t pos_diff;
> int ret;
> @@ -525,7 +526,7 @@ static int iomap_read_folio_iter(struct iomap_iter *iter,
> return iomap_iter_advance(iter, length);
> }
>
> - ifs_alloc(iter->inode, folio, iter->flags);
> + ifs = ifs_alloc(iter->inode, folio, iter->flags);
>
> length = min_t(loff_t, length, folio_len - offset_in_folio(folio, pos));
> while (length) {
> @@ -560,11 +561,15 @@ static int iomap_read_folio_iter(struct iomap_iter *iter,
>
> *bytes_submitted += plen;
> /*
> - * If the entire folio has been read in by the IO
> - * helper, then the helper owns the folio and will end
> - * the read on it.
> + * Hand off folio ownership to the IO helper when:
> + * 1) The entire folio has been submitted for IO, or
> + * 2) There is no ifs attached to the folio
> + *
> + * Case (2) occurs when 1 << i_blkbits matches the folio
> + * size but the underlying filesystem or block device
> + * uses a smaller granularity for IO.
> */
> - if (*bytes_submitted == folio_len)
> + if (*bytes_submitted == folio_len || !ifs)
> ctx->cur_folio = NULL;
> }
>
> --
> 2.52.0
>
Forgot to add 'linux-fsdevel@vger.kernel.org' to the cc list, adding that now
^ permalink raw reply [flat|nested] only message in thread