Max Kellermann <max.kellermann@xxxxxxxxx> wrote:
> At the beginning of the function, folio queues with marks3==0 are
> skipped, but after that, the `marks3` field is ignored. If one such
> queue is found, `slot` is set to 64 (because `__ffs(0)==64`), leading
> to a buffer overflow in the folioq_folio() call. The resulting crash
> may look like this:
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> ...
>
> Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Max Kellermann <max.kellermann@xxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
