Hi, On 10/21/2024 9:30 AM, syzbot wrote: > syzbot has bisected this issue to: > > commit 5d9e1455630d0f464f169bbd637dbb264cbd8ac8 > Author: Josef Bacik <josef@xxxxxxxxxxxxxx> > Date: Mon Sep 30 13:45:18 2024 +0000 > > fuse: convert fuse_notify_store to use folios > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=120dc25f980000 > start commit: 15e7d45e786a Add linux-next specific files for 20241016 > git tree: linux-next > final oops: https://syzkaller.appspot.com/x/report.txt?x=110dc25f980000 > console output: https://syzkaller.appspot.com/x/log.txt?x=160dc25f980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=c36416f1c54640c0 > dashboard link: https://syzkaller.appspot.com/bug?extid=65d101735df4bb19d2a3 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1623e830580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16582f27980000 > > Reported-by: syzbot+65d101735df4bb19d2a3@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 5d9e1455630d ("fuse: convert fuse_notify_store to use folios") > > For information about bisection process see: https://goo.gl/tpsmEJ#bisection > > . It seems fuse_notify_store invokes folio_zero_range() incorrectly. The third argument of folio_zero_range() should be the to-copy length instead of the total length. The following patch will fix the problem: diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 5edad55750b0..87e39c9343c4 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1668,7 +1668,7 @@ static int fuse_notify_store(struct fuse_conn *fc, unsigned int size, err = fuse_copy_page(cs, &page, offset, this_num, 0); if (!folio_test_uptodate(folio) && !err && offset == 0 && (this_num == folio_size(folio) || file_size == end)) { - folio_zero_range(folio, this_num, folio_size(folio)); + folio_zero_range(folio, this_num, folio_size(folio) - this_num); folio_mark_uptodate(folio); } folio_unlock(folio); Will post a formal patch later.
