From nobody Mon Mar 23 19:51:59 2026 Received: from mx.swemel.ru (mx.swemel.ru [95.143.211.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C7313B27EF; Mon, 23 Mar 2026 13:59:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.143.211.150 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774274384; cv=none; b=D0l5qwjbR78u9ZbWr913UUlToCkXfdpRYV5MQcEs4BFVIgc+yeiUwgMzjBCyoUfB4lMqTq5ByTLAMkxeCU6pamI8ilwQxdqz3uucjpZiohJ3HX5LR//TFnTYBHuZKMsfwUsfFw/oKzY/hQFzUunlI03jjWzYPN82DRKOFQOUF+M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774274384; c=relaxed/simple; bh=yXjs0RYu+09S0/FDEhWczPNVSlpCv3dZ7axwMd5wmGE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=RrvnltX/KwpOf1hj3Z1gmgKDLZFlpIrdg7AAF32ruB654HiDUhcrxtnKEaJgLgdHskPLSsKi9madfFp9lXyqWx/odLzWEIjo10YLbsTfPhFpMhtONX2gCT653Qeqd4UbcM4U9TjPWGALvS3dljB1UMApOAkPX6gaiMNgSREImZM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=swemel.ru; spf=pass smtp.mailfrom=swemel.ru; dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru header.b=Y/MSeeoW; arc=none smtp.client-ip=95.143.211.150 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=swemel.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=swemel.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru header.b="Y/MSeeoW" From: Denis Arefev DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swemel.ru; s=mail; t=1774274377; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=XrJO6oMsQ2sRU4j9Zgoq35iSBOIxZIi6ev2XEDqg5CM=; b=Y/MSeeoWxH43lJWsYpqNeMBuaGij5+XGn7zn8n3L5sDVlc9H3c/LSdj0mBThAFnQ6NVdg7 07uyBXOUtfUxQB2t3h4Es3NiYCsXfSdbH2swrlYpiNfJD/MKDBmWl/w+5F8kCJ22xJ5/1B KJ45h0tSM2HyHZYiwFECsrkc/Q4Es+g= To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Gao Xiang , Chao Yu , Jeffle Xu , linux-erofs@lists.ozlabs.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, syzbot+5b886a2e03529dbcef81@syzkaller.appspotmail.com Subject: [PATCH v2 6.1] erofs: Fix the slab-out-of-bounds in drop_buffers() Date: Mon, 23 Mar 2026 16:59:35 +0300 Message-ID: <20260323135936.15070-1-arefev@swemel.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" commit ce529cc25b184e93397b94a8a322128fc0095cbb upstream. This was accidentally fixed in commit ce529cc25b18, but it's not possible to accept all the changes, due to the lack of large folios support for=20 Linux 6.1 kernels, so this is only the actual bug fix that's needed. [Background] Syzbot reported that a KASAN slab-out-of-bounds bug was discovered in the drop_buffers() function [1]. The root cause is that erofs_raw_access_aops does not define .release_folio and .invalidate_folio. When using iomap-based operations, folio->private may contain iomap-specific data rather than buffer_heads. Without special handlers, the kernel may fall back to generic functions (such as=20 drop_buffers), which incorrectly treat folio->private as a list of buffer_head structures, leading to incorrect memory interpretation and out-of-bounds access. Fix this by explicitly setting .release_folio and .invalidate_folio to the values of iomap_release_folio and iomap_invalidate_folio, respectively. [1] https://syzkaller.appspot.com/x/report.txt?x=3D12e5a142580000=20 Fixes: 7479c505b4ab ("fs: Convert iomap_readpage to iomap_read_folio") Reported-by: syzbot+5b886a2e03529dbcef81@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=3Dc6aeabd0c4ad2466f63a274faf2a= 123103f8fbf7 Signed-off-by: Denis Arefev --- fs/erofs/data.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/erofs/data.c b/fs/erofs/data.c index 7b648bec61fd..302e824827fc 100644 --- a/fs/erofs/data.c +++ b/fs/erofs/data.c @@ -406,6 +406,8 @@ const struct address_space_operations erofs_raw_access_= aops =3D { .readahead =3D erofs_readahead, .bmap =3D erofs_bmap, .direct_IO =3D noop_direct_IO, + .release_folio =3D iomap_release_folio, + .invalidate_folio =3D iomap_invalidate_folio, }; =20 #ifdef CONFIG_FS_DAX --=20 2.43.0