fs/fuse/file.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-)
When large folio is enabled and the initial folio offset exceeds
PAGE_SIZE, e.g. the position resides in the second page of a large
folio, after the folio copying the offset (in the page) won't be updated
to 0 even though the expected range is successfully copied until the end
of the folio. In this case fuse_fill_write_pages() exits prematurelly
before the request has reached the max_write/max_pages limit.
Fix this by eliminating page offset entirely and use folio offset
instead.
Fixes: d60a6015e1a2 ("fuse: support large folios for writethrough writes")
Cc: stable@vger.kernel.org
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
---
fs/fuse/file.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 625d236b881b..6aafb32338b6 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1272,7 +1272,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
{
struct fuse_args_pages *ap = &ia->ap;
struct fuse_conn *fc = get_fuse_conn(mapping->host);
- unsigned offset = pos & (PAGE_SIZE - 1);
size_t count = 0;
unsigned int num;
int err = 0;
@@ -1299,7 +1298,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
if (mapping_writably_mapped(mapping))
flush_dcache_folio(folio);
- folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset;
+ folio_offset = offset_in_folio(folio, pos);
bytes = min(folio_size(folio) - folio_offset, num);
tmp = copy_folio_from_iter_atomic(folio, folio_offset, bytes, ii);
@@ -1329,9 +1328,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
count += tmp;
pos += tmp;
num -= tmp;
- offset += tmp;
- if (offset == folio_size(folio))
- offset = 0;
/* If we copied full folio, mark it uptodate */
if (tmp == folio_size(folio))
@@ -1343,7 +1339,9 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
ia->write.folio_locked = true;
break;
}
- if (!fc->big_writes || offset != 0)
+ if (!fc->big_writes)
+ break;
+ if (folio_offset + tmp != folio_size(folio))
break;
}
--
2.19.1.6.gb485710b
On 1/14/26 1:56 PM, Jingbo Xu wrote:
> When large folio is enabled and the initial folio offset exceeds
> PAGE_SIZE, e.g. the position resides in the second page of a large
> folio, after the folio copying the offset (in the page) won't be updated
> to 0 even though the expected range is successfully copied until the end
> of the folio. In this case fuse_fill_write_pages() exits prematurelly
> before the request has reached the max_write/max_pages limit.
>
> Fix this by eliminating page offset entirely and use folio offset
> instead.
>
> Fixes: d60a6015e1a2 ("fuse: support large folios for writethrough writes")
> Cc: stable@vger.kernel.org
> Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
> ---
Sorry I will drop the incorrect prefix of the subject line later in v2
leaving some time for more feedbacks.
--
Thanks,
Jingbo
Hi Jingbo,
On Wed, Jan 14, 2026 at 01:56:15PM +0800, Jingbo Xu wrote:
> When large folio is enabled and the initial folio offset exceeds
> PAGE_SIZE, e.g. the position resides in the second page of a large
> folio, after the folio copying the offset (in the page) won't be updated
> to 0 even though the expected range is successfully copied until the end
> of the folio. In this case fuse_fill_write_pages() exits prematurelly
> before the request has reached the max_write/max_pages limit.
>
> Fix this by eliminating page offset entirely and use folio offset
> instead.
>
> Fixes: d60a6015e1a2 ("fuse: support large folios for writethrough writes")
> Cc: stable@vger.kernel.org
> Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
> ---
> fs/fuse/file.c | 10 ++++------
> 1 file changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
> index 625d236b881b..6aafb32338b6 100644
> --- a/fs/fuse/file.c
> +++ b/fs/fuse/file.c
> @@ -1272,7 +1272,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
> {
> struct fuse_args_pages *ap = &ia->ap;
> struct fuse_conn *fc = get_fuse_conn(mapping->host);
> - unsigned offset = pos & (PAGE_SIZE - 1);
> size_t count = 0;
> unsigned int num;
> int err = 0;
> @@ -1299,7 +1298,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
> if (mapping_writably_mapped(mapping))
> flush_dcache_folio(folio);
>
> - folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset;
> + folio_offset = offset_in_folio(folio, pos);
> bytes = min(folio_size(folio) - folio_offset, num);
>
> tmp = copy_folio_from_iter_atomic(folio, folio_offset, bytes, ii);
> @@ -1329,9 +1328,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
> count += tmp;
> pos += tmp;
> num -= tmp;
> - offset += tmp;
> - if (offset == folio_size(folio))
> - offset = 0;
>
> /* If we copied full folio, mark it uptodate */
> if (tmp == folio_size(folio))
> @@ -1343,7 +1339,9 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
> ia->write.folio_locked = true;
> break;
> }
> - if (!fc->big_writes || offset != 0)
> + if (!fc->big_writes)
> + break;
> + if (folio_offset + tmp != folio_size(folio))
> break;
> }
>
> --
> 2.19.1.6.gb485710b
>
>
I think this might have been an oversight when moving from pages to folios.
Reviewed-by: Horst Birthelmer <hbirthelmer@ddn.com>
On 1/14/26 4:58 PM, Horst Birthelmer wrote:
>
> Hi Jingbo,
>
> On Wed, Jan 14, 2026 at 01:56:15PM +0800, Jingbo Xu wrote:
>> When large folio is enabled and the initial folio offset exceeds
>> PAGE_SIZE, e.g. the position resides in the second page of a large
>> folio, after the folio copying the offset (in the page) won't be updated
>> to 0 even though the expected range is successfully copied until the end
>> of the folio. In this case fuse_fill_write_pages() exits prematurelly
>> before the request has reached the max_write/max_pages limit.
>>
>> Fix this by eliminating page offset entirely and use folio offset
>> instead.
>>
>> Fixes: d60a6015e1a2 ("fuse: support large folios for writethrough writes")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
>> ---
>> fs/fuse/file.c | 10 ++++------
>> 1 file changed, 4 insertions(+), 6 deletions(-)
>>
>> diff --git a/fs/fuse/file.c b/fs/fuse/file.c
>> index 625d236b881b..6aafb32338b6 100644
>> --- a/fs/fuse/file.c
>> +++ b/fs/fuse/file.c
>> @@ -1272,7 +1272,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
>> {
>> struct fuse_args_pages *ap = &ia->ap;
>> struct fuse_conn *fc = get_fuse_conn(mapping->host);
>> - unsigned offset = pos & (PAGE_SIZE - 1);
>> size_t count = 0;
>> unsigned int num;
>> int err = 0;
>> @@ -1299,7 +1298,7 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
>> if (mapping_writably_mapped(mapping))
>> flush_dcache_folio(folio);
>>
>> - folio_offset = ((index - folio->index) << PAGE_SHIFT) + offset;
>> + folio_offset = offset_in_folio(folio, pos);
>> bytes = min(folio_size(folio) - folio_offset, num);
>>
>> tmp = copy_folio_from_iter_atomic(folio, folio_offset, bytes, ii);
>> @@ -1329,9 +1328,6 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
>> count += tmp;
>> pos += tmp;
>> num -= tmp;
>> - offset += tmp;
>> - if (offset == folio_size(folio))
>> - offset = 0;
>>
>> /* If we copied full folio, mark it uptodate */
>> if (tmp == folio_size(folio))
>> @@ -1343,7 +1339,9 @@ static ssize_t fuse_fill_write_pages(struct fuse_io_args *ia,
>> ia->write.folio_locked = true;
>> break;
>> }
>> - if (!fc->big_writes || offset != 0)
>> + if (!fc->big_writes)
>> + break;
>> + if (folio_offset + tmp != folio_size(folio))
>> break;
>> }
>>
>> --
>> 2.19.1.6.gb485710b
>>
>>
>
>
> I think this might have been an oversight when moving from pages to folios.
>
> Reviewed-by: Horst Birthelmer <hbirthelmer@ddn.com>
Right, it's not triggered until large folio is enabled.
Thanks for the review :)
© 2016 - 2026 Red Hat, Inc.