From: Christoph Hellwig <hch@infradead.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Sheng Yong <shengyong2021@gmail.com>,
akpm@linux-foundation.org, vbabka@suse.cz,
linux-kernel@vger.kernel.org, linux-mm@archiver.kernel.org,
Sheng Yong <shengyong1@xiaomi.com>,
linux-nfs@vger.kernel.org, ceph-devel@vger.kernel.org
Subject: Re: [PATCH] lib/iov_iter: fix to increase non slab folio refcount
Date: Fri, 4 Apr 2025 01:40:55 -0700 [thread overview]
Message-ID: <Z--bF9D8FFqVZ-s5@infradead.org> (raw)
In-Reply-To: <Z-v2ReHKyFIXQlKs@casper.infradead.org>
On Tue, Apr 01, 2025 at 03:20:53PM +0100, Matthew Wilcox wrote:
> On Tue, Apr 01, 2025 at 10:02:55PM +0800, Sheng Yong wrote:
> > When testing EROFS file-backed mount over v9fs on qemu, I encounter
> > a folio UAF and page sanity check reports the following call trace.
> > Fix it by increasing non slab folio refcount correctly.
>
> This report needs to say what the problem _is_, which is that pages may
> be coalesced across a folio boundary.
9p/virtio also really needs to move away from iov_iter_get_pages_alloc
and to iov_iter_extract_pages. That way it properly pins pages for user
memory and doesn't do the pointless page reference for kernel iters that
triggered this. Of course until all callers are gone this fix is
needed, but the caller also needs fixing to use the proper interface.
(Same for ceph and nfs)
prev parent reply other threads:[~2025-04-04 8:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-01 14:02 [PATCH] lib/iov_iter: fix to increase non slab folio refcount Sheng Yong
2025-04-01 14:20 ` Matthew Wilcox
2025-04-04 8:40 ` Christoph Hellwig [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z--bF9D8FFqVZ-s5@infradead.org \
--to=hch@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=ceph-devel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@archiver.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=shengyong1@xiaomi.com \
--cc=shengyong2021@gmail.com \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox