Hi,

On Thu, Feb 20, 2025 at 04:24:50PM +0100, Max Kellermann wrote:

If multiple subrequests donate data to the same "next" request (depending on the subrequest completion order), each of them would overwrite the `prev_donated` field, causing data corruption and a BUG() crash ("Can't donate prior to front").

Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading") Closes: https://lore.kernel.org/netfs/CAKPOu+_4mUwYgQtRTbXCmi+-k3PGvLysnPadkmHOyB7Gz... Cc: stable@vger.kernel.org Signed-off-by: Max Kellermann max.kellermann@ionos.com Signed-off-by: David Howells dhowells@redhat.com

---

fs/netfs/read_collect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c index 8878b46589ff..cafadfe8e858 100644 --- a/fs/netfs/read_collect.c +++ b/fs/netfs/read_collect.c @@ -284,7 +284,7 @@ static bool netfs_consume_read_data(struct netfs_io_subrequest *subreq, bool was netfs_trace_donate_to_deferred_next); } else { next = list_next_entry(subreq, rreq_link);

• WRITE_ONCE(next->prev_donated, excess);
  

• WRITE_ONCE(next->prev_donated, next->prev_donated + excess);
  

  trace_netfs_donate(rreq, subreq, next, excess, netfs_trace_donate_to_next); }

-- 2.47.2

Unless I did some mistakes researching both the stable, netfs lists, did this felt through the cracks and is still missing for to be picked for the 6.12.y and 6.13.y series?

Regards, Salvatore