Boundary Mathematics: Weaponizing PAGE_SHIFT Arithmetic via FUSE — Part 3
MAX_LFS_FILESIZE only gates the superblock. Once the FUSE connection is up, every FUSE_GETATTR reply can mutate i_size to 0xFFFFFFFFFFFFFFFF. The page cache’s (pos + count - 1) » PAGE_SHIFT arithmetic wraps unsigned, inverts loop invariants, and turns vma_merge() into an arbitrary OOB-write primitive on Maple Tree-backed kernels.