[lvc-project] [PATCH 6.1 0/1] erofs: Fix the slab-out-of-bounds in drop_buffers()
Denis Arefev
arefev at swemel.ru
Mon Mar 23 10:48:05 MSK 2026
Syzbot reported that a KASAN slab-out-of-bounds bug was discovered in the drop_buffers()
function [1].
The root cause is that erofs_raw_access_aops does not define .release_folio and
.invalidate_folio. When using iomap-based operations, folio->private may contain
iomap-specific data rather than buffer_heads. Without special handlers, the kernel
may fall back to generic functions (e.g., drop_buffers), which incorrectly treat
folio->private as a list of buffer_head structures, leading to incorrect memory
interpretation and out-of-bounds access.
This can be fixed by explicitly setting .release_folio and .invalidate_folio to
iomap_release_folio and iomap_invalidate_folio, respectively, but there is a
commit ce529cc25b184e93397b94a8a322128fc0095cbb in upstream that implicitly
fixes this bug.
Please commit it to the stable branch v6.1.y .
[1] https://syzkaller.appspot.com/bug?id=c6aeabd0c4ad2466f63a274faf2a123103f8fbf7
Jingbo Xu (1):
erofs: enable large folios for iomap mode
fs/erofs/data.c | 2 ++
fs/erofs/inode.c | 2 ++
2 files changed, 4 insertions(+)
--
2.43.0
More information about the lvc-project
mailing list