about this case, calltrace is: erofs_read_superblock()-> erofs_read_metabuf()-> erofs_bread()-> read_mapping_folio() 41 folio = read_mapping_folio(buf->mapping, index, NULL); file is NULL in read_mapping_folio() at fs/erofs/data.c, and in fuse_do_readpage(), it need file pass node id and file handle(in userspace), so need to add a check for file in fuse_read_folio(). #syz test diff --git a/fs/fuse/file.c b/fs/fuse/file.c index f33fbce86ae0..fe6df701da24 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -902,6 +902,9 @@ static int fuse_read_folio(struct file *file, struct folio *folio) if (fuse_is_bad(inode)) goto out; + if (!file) + goto out; + err = fuse_do_readpage(file, page); fuse_invalidate_atime(inode); out:
