* Subject:[REGRESSION] fs/qnx6: incorrect pointer arithmetic breaks dir scanning completely
@ 2026-05-26 10:40 Oleg Chaun
2026-05-26 11:02 ` Thorsten Leemhuis
2026-05-26 13:38 ` Sasha Levin
0 siblings, 2 replies; 4+ messages in thread
From: Oleg Chaun @ 2026-05-26 10:40 UTC (permalink / raw)
To: stable; +Cc: regressions, willy, brauner
#regzbot introduced: b2aa615
Hello,
A change to fs/qnx6/dir.c:qnx6_readdir() introduced in commit b2aa615
contains an incorrect pointer arithmetic (adding an offset expressed in
QNX6_DIR_ENTRY_SIZE units to a plain char * pointer) which breaks QNX6
directory reading completely: only few entries are visible, kernel log
is spammed with "invalid direntry size" messages.
The following patch seems to fix the issue:
--- /tmp/temp/linux-6.17/fs/qnx6/dir.c 2025-09-28 23:39:22.000000000
+0200
+++ ./dir.c 2026-02-13 18:52:56.000000000 +0100
@@ -138,8 +138,8 @@
ctx->pos = (n + 1) << PAGE_SHIFT;
return PTR_ERR(kaddr);
}
- de = (struct qnx6_dir_entry *)(kaddr + offset);
- limit = kaddr + last_entry(inode, n);
+ de = ((struct qnx6_dir_entry *)kaddr) + offset;
+ limit = kaddr + last_entry(inode, n) * QNX6_DIR_ENTRY_SIZE;
for (; (char *)de < limit; de++, ctx->pos +=
QNX6_DIR_ENTRY_SIZE) {
int size = de->de_size;
u32 no_inode = fs32_to_cpu(sbi, de->de_inode);
I can test any further changes on real QNX6 fs images if necessary.
BR,
Oleg
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Subject:[REGRESSION] fs/qnx6: incorrect pointer arithmetic breaks dir scanning completely
2026-05-26 10:40 Subject:[REGRESSION] fs/qnx6: incorrect pointer arithmetic breaks dir scanning completely Oleg Chaun
@ 2026-05-26 11:02 ` Thorsten Leemhuis
2026-05-26 13:12 ` Arpith Kalaginanavoor
2026-05-26 13:38 ` Sasha Levin
1 sibling, 1 reply; 4+ messages in thread
From: Thorsten Leemhuis @ 2026-05-26 11:02 UTC (permalink / raw)
To: Oleg Chaun, stable
Cc: regressions, willy, brauner, Arpith Kalaginanavoor,
Alexander Viro, Linux-fsdevel
On 5/26/26 12:40, Oleg Chaun wrote:
>
> A change to fs/qnx6/dir.c:qnx6_readdir() introduced in commit b2aa615
> contains an incorrect pointer arithmetic (adding an offset expressed in
> QNX6_DIR_ENTRY_SIZE units to a plain char * pointer) which breaks QNX6
> directory reading completely: only few entries are visible, kernel log
> is spammed with "invalid direntry size" messages.
Thx for the report. From a quick look it seems Arpith Kalaginanavoor
(now CCed) reported this last month and provided a proper patch:
https://lore.kernel.org/all/20260310102233.391113-1-arpithk@nvidia.com/
Al (now CCed, too) suggested a slightly different fix, but it seems
since then nothing happened.
Ciao, Thorsten
> The following patch seems to fix the issue:
>
> --- /tmp/temp/linux-6.17/fs/qnx6/dir.c 2025-09-28 23:39:22.000000000
> +0200
> +++ ./dir.c 2026-02-13 18:52:56.000000000 +0100
> @@ -138,8 +138,8 @@
> ctx->pos = (n + 1) << PAGE_SHIFT;
> return PTR_ERR(kaddr);
> }
> - de = (struct qnx6_dir_entry *)(kaddr + offset);
> - limit = kaddr + last_entry(inode, n);
> + de = ((struct qnx6_dir_entry *)kaddr) + offset;
> + limit = kaddr + last_entry(inode, n) * QNX6_DIR_ENTRY_SIZE;
> for (; (char *)de < limit; de++, ctx->pos +=
> QNX6_DIR_ENTRY_SIZE) {
> int size = de->de_size;
> u32 no_inode = fs32_to_cpu(sbi, de->de_inode);
>
> I can test any further changes on real QNX6 fs images if necessary.
#regzbot introduced: b2aa61556fcfa8
#regzbot title: qnx6: dir scanning broken
#regzbot dup:
https://lore.kernel.org/all/20260310102233.391113-1-arpithk@nvidia.com/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Subject:[REGRESSION] fs/qnx6: incorrect pointer arithmetic breaks dir scanning completely
2026-05-26 11:02 ` Thorsten Leemhuis
@ 2026-05-26 13:12 ` Arpith Kalaginanavoor
0 siblings, 0 replies; 4+ messages in thread
From: Arpith Kalaginanavoor @ 2026-05-26 13:12 UTC (permalink / raw)
To: regressions
Cc: arpithk, brauner, linux-fsdevel, olegchaun, regressions, stable,
viro, willy
Hi Thorsten,
I have submitted a revised fix for this here:
https://lore.kernel.org/all/20260526123858.1683035-1-arpithk@nvidia.com/
This follows Al's suggested approach from the earlier thread.
Thanks,
Arpith
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Subject:[REGRESSION] fs/qnx6: incorrect pointer arithmetic breaks dir scanning completely
2026-05-26 10:40 Subject:[REGRESSION] fs/qnx6: incorrect pointer arithmetic breaks dir scanning completely Oleg Chaun
2026-05-26 11:02 ` Thorsten Leemhuis
@ 2026-05-26 13:38 ` Sasha Levin
1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2026-05-26 13:38 UTC (permalink / raw)
To: stable; +Cc: Sasha Levin, regressions, willy, brauner, Oleg Chaun
On Tue, May 26, 2026 at 12:40:12PM +0200, Oleg Chaun wrote:
> Commit b2aa61556fcf ("qnx6: Convert qnx6_get_page() to
> qnx6_get_folio()") breaks qnx6 readdir on 6.12, 6.18 and 7.0 by
> dropping the QNX6_DIR_ENTRY_SIZE scaling in the entry-pointer
> arithmetic.
Thanks for the report. As Thorsten noted, Arpith already posted a fix
at:
https://lore.kernel.org/all/20260310102233.391113-1-arpithk@nvidia.com/
with Al Viro's review feedback still pending. There is no upstream
commit to cherry-pick yet, so I cannot queue anything for stable until
an upstream fix lands.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-26 13:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26 10:40 Subject:[REGRESSION] fs/qnx6: incorrect pointer arithmetic breaks dir scanning completely Oleg Chaun
2026-05-26 11:02 ` Thorsten Leemhuis
2026-05-26 13:12 ` Arpith Kalaginanavoor
2026-05-26 13:38 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox