[PATCH] fuse: fix fuse_fill_write_pages() upper bound calculation

[PATCH] fuse: fix fuse_fill_write_pages() upper bound calculation

[Joanne Koong]

This fixes a bug in commit 63c69ad3d18a ("fuse: refactor
fuse_fill_write_pages()") where max_pages << PAGE_SHIFT is mistakenly
used as the calculation for the max_pages upper limit but there's the
possibility that copy_folio_from_iter_atomic() may copy over bytes
from the iov_iter that are less than the full length of the folio,
which would lead to exceeding max_pages.

This commit fixes it by adding a 'ap->num_folios < max_folios' check.

Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Fixes: 63c69ad3d18a ("fuse: refactor fuse_fill_write_pages()")
Reported-by: Brian Foster <bfoster@redhat.com>
Closes: https://lore.kernel.org/linux-fsdevel/aEq4haEQScwHIWK6@bfoster/
---
 fs/fuse/file.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 3d0b33be3824..a05a589dc701 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1147,7 +1147,7 @@ static ssize_t fuse_send_write_pages(struct fuse_io_args *ia,
 static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
 				     struct address_space *mapping,
 				     struct iov_iter *ii, loff_t pos,
-				     unsigned int max_pages)
+				     unsigned int max_folios)
 {
 	struct fuse_args_pages *ap = &ia->ap;
 	struct fuse_conn *fc = get_fuse_conn(mapping->host);
@@ -1157,12 +1157,11 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
 	int err = 0;
 
 	num = min(iov_iter_count(ii), fc->max_write);
-	num = min(num, max_pages << PAGE_SHIFT);
 
 	ap->args.in_pages = true;
 	ap->descs[0].offset = offset;
 
-	while (num) {
+	while (num && ap->num_folios < max_folios) {
 		size_t tmp;
 		struct folio *folio;
 		pgoff_t index = pos >> PAGE_SHIFT;
-- 
2.47.1

Re: [PATCH] fuse: fix fuse_fill_write_pages() upper bound calculation

[Brian Foster]

On Fri, Jun 13, 2025 at 05:01:14PM -0700, Joanne Koong wrote:
> This fixes a bug in commit 63c69ad3d18a ("fuse: refactor
> fuse_fill_write_pages()") where max_pages << PAGE_SHIFT is mistakenly
> used as the calculation for the max_pages upper limit but there's the
> possibility that copy_folio_from_iter_atomic() may copy over bytes
> from the iov_iter that are less than the full length of the folio,
> which would lead to exceeding max_pages.
> 
> This commit fixes it by adding a 'ap->num_folios < max_folios' check.
> 
> Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
> Fixes: 63c69ad3d18a ("fuse: refactor fuse_fill_write_pages()")
> Reported-by: Brian Foster <bfoster@redhat.com>
> Closes: https://lore.kernel.org/linux-fsdevel/aEq4haEQScwHIWK6@bfoster/
> ---

This resolves the problem for me as well. Thanks again..

Tested-by: Brian Foster <bfoster@redhat.com>

>  fs/fuse/file.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
> index 3d0b33be3824..a05a589dc701 100644
> --- a/fs/fuse/file.c
> +++ b/fs/fuse/file.c
> @@ -1147,7 +1147,7 @@ static ssize_t fuse_send_write_pages(struct fuse_io_args *ia,
>  static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
>  				     struct address_space *mapping,
>  				     struct iov_iter *ii, loff_t pos,
> -				     unsigned int max_pages)
> +				     unsigned int max_folios)
>  {
>  	struct fuse_args_pages *ap = &ia->ap;
>  	struct fuse_conn *fc = get_fuse_conn(mapping->host);
> @@ -1157,12 +1157,11 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
>  	int err = 0;
>  
>  	num = min(iov_iter_count(ii), fc->max_write);
> -	num = min(num, max_pages << PAGE_SHIFT);
>  
>  	ap->args.in_pages = true;
>  	ap->descs[0].offset = offset;
>  
> -	while (num) {
> +	while (num && ap->num_folios < max_folios) {
>  		size_t tmp;
>  		struct folio *folio;
>  		pgoff_t index = pos >> PAGE_SHIFT;
> -- 
> 2.47.1
> 

Re: [PATCH] fuse: fix fuse_fill_write_pages() upper bound calculation

[Joanne Koong]

On Sat, Jun 14, 2025 at 3:54 AM Brian Foster <bfoster@redhat.com> wrote:
>
> On Fri, Jun 13, 2025 at 05:01:14PM -0700, Joanne Koong wrote:
> > This fixes a bug in commit 63c69ad3d18a ("fuse: refactor
> > fuse_fill_write_pages()") where max_pages << PAGE_SHIFT is mistakenly
> > used as the calculation for the max_pages upper limit but there's the
> > possibility that copy_folio_from_iter_atomic() may copy over bytes
> > from the iov_iter that are less than the full length of the folio,
> > which would lead to exceeding max_pages.
> >
> > This commit fixes it by adding a 'ap->num_folios < max_folios' check.
> >
> > Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
> > Fixes: 63c69ad3d18a ("fuse: refactor fuse_fill_write_pages()")
> > Reported-by: Brian Foster <bfoster@redhat.com>
> > Closes: https://lore.kernel.org/linux-fsdevel/aEq4haEQScwHIWK6@bfoster/
> > ---
>
> This resolves the problem for me as well. Thanks again..
>
> Tested-by: Brian Foster <bfoster@redhat.com>
>
> >  fs/fuse/file.c | 5 ++---
> >  1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/fs/fuse/file.c b/fs/fuse/file.c
> > index 3d0b33be3824..a05a589dc701 100644
> > --- a/fs/fuse/file.c
> > +++ b/fs/fuse/file.c
> > @@ -1147,7 +1147,7 @@ static ssize_t fuse_send_write_pages(struct fuse_io_args *ia,
> >  static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
> >                                    struct address_space *mapping,
> >                                    struct iov_iter *ii, loff_t pos,
> > -                                  unsigned int max_pages)
> > +                                  unsigned int max_folios)
> >  {
> >       struct fuse_args_pages *ap = &ia->ap;
> >       struct fuse_conn *fc = get_fuse_conn(mapping->host);
> > @@ -1157,12 +1157,11 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
> >       int err = 0;
> >
> >       num = min(iov_iter_count(ii), fc->max_write);
> > -     num = min(num, max_pages << PAGE_SHIFT);
> >
> >       ap->args.in_pages = true;
> >       ap->descs[0].offset = offset;
> >
> > -     while (num) {
> > +     while (num && ap->num_folios < max_folios) {
> >               size_t tmp;
> >               struct folio *folio;
> >               pgoff_t index = pos >> PAGE_SHIFT;
> > --
> > 2.47.1
> >
>

Miklos or Christian, could this fix be added to the next release candidate?


Thanks,
Joanne

Re: [PATCH] fuse: fix fuse_fill_write_pages() upper bound calculation

[Christian Brauner]

On Fri, 13 Jun 2025 17:01:14 -0700, Joanne Koong wrote:
> This fixes a bug in commit 63c69ad3d18a ("fuse: refactor
> fuse_fill_write_pages()") where max_pages << PAGE_SHIFT is mistakenly
> used as the calculation for the max_pages upper limit but there's the
> possibility that copy_folio_from_iter_atomic() may copy over bytes
> from the iov_iter that are less than the full length of the folio,
> which would lead to exceeding max_pages.
> 
> [...]

Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes

[1/1] fuse: fix fuse_fill_write_pages() upper bound calculation
      https://git.kernel.org/vfs/vfs/c/dbee298cb7bb

Re: [PATCH] fuse: fix fuse_fill_write_pages() upper bound calculation

[Christian Brauner]

> Miklos or Christian, could this fix be added to the next release candidate?

Snatched.

Re: [PATCH] fuse: fix fuse_fill_write_pages() upper bound calculation

[Joanne Koong]

On Tue, Jun 24, 2025 at 2:07 AM Christian Brauner <brauner@kernel.org> wrote:
>
> > Miklos or Christian, could this fix be added to the next release candidate?
>
> Snatched.

Thanks, Christian.