[PATCH 6.1 0/1] erofs: Fix the slab-out-of-bounds in drop_buffers()

Next message: Krzysztof Kozlowski: "Re: [PATCH v2 2/4] iio: adc: meson-saradc: add support for Meson S4"
Previous message: Mike Rapoport: "[PATCH v2 2/9] powerpc: fadump: pair alloc_pages_exact() with free_pages_exact()"
Next in thread: Gao Xiang: "Re: [PATCH 6.1 0/1] erofs: Fix the slab-out-of-bounds in drop_buffers()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Denis Arefev

Date: Mon Mar 23 2026 - 03:56:06 EST

Syzbot reported that a KASAN slab-out-of-bounds bug was discovered in the drop_buffers()
function [1].

The root cause is that erofs_raw_access_aops does not define .release_folio and
.invalidate_folio. When using iomap-based operations, folio->private may contain
iomap-specific data rather than buffer_heads. Without special handlers, the kernel
may fall back to generic functions (e.g., drop_buffers), which incorrectly treat
folio->private as a list of buffer_head structures, leading to incorrect memory
interpretation and out-of-bounds access.

This can be fixed by explicitly setting .release_folio and .invalidate_folio to
iomap_release_folio and iomap_invalidate_folio, respectively, but there is a
commit ce529cc25b184e93397b94a8a322128fc0095cbb in upstream that implicitly
fixes this bug.

Please commit it to the stable branch v6.1.y .

[1] https://syzkaller.appspot.com/bug?id=c6aeabd0c4ad2466f63a274faf2a123103f8fbf7

Jingbo Xu (1):
erofs: enable large folios for iomap mode

fs/erofs/data.c | 2 ++
fs/erofs/inode.c | 2 ++
2 files changed, 4 insertions(+)

--
2.43.0