Re: [PATCH] lib/iov_iter: fix to increase non slab folio refcount

From: Matthew Wilcox
Date: Tue Apr 01 2025 - 10:21:11 EST

Next message: Sudeep Holla: "Re: [PATCH v3 3/7] firmware: arm_scmi: imx: Add i.MX95 LMM protocol"
Previous message: Peter Zijlstra: "Re: [PATCH] perf/x86: Rename bts_buffer variables and use struct_size()"
In reply to: Sheng Yong: "[PATCH] lib/iov_iter: fix to increase non slab folio refcount"
Next in thread: Christoph Hellwig: "Re: [PATCH] lib/iov_iter: fix to increase non slab folio refcount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 01, 2025 at 10:02:55PM +0800, Sheng Yong wrote:
> When testing EROFS file-backed mount over v9fs on qemu, I encounter
> a folio UAF and page sanity check reports the following call trace.
> Fix it by increasing non slab folio refcount correctly.

This report needs to say what the problem _is_, which is that pages may
be coalesced across a folio boundary.

> +++ b/lib/iov_iter.c
> @@ -1191,8 +1191,7 @@ static ssize_t __iov_iter_get_pages_alloc(struct iov_iter *i,
> return -ENOMEM;
> p = *pages;
> for (int k = 0; k < n; k++) {
> - struct folio *folio = page_folio(page);
> - p[k] = page + k;
> + struct folio *folio = page_folio(p[k] = page + k);

Never write code this ugly.

- struct folio *folio = page_folio(page);
+ struct folio *folio = page_folio(page + k);
p[k] = page + k;

is much more readable.

Next message: Sudeep Holla: "Re: [PATCH v3 3/7] firmware: arm_scmi: imx: Add i.MX95 LMM protocol"
Previous message: Peter Zijlstra: "Re: [PATCH] perf/x86: Rename bts_buffer variables and use struct_size()"
In reply to: Sheng Yong: "[PATCH] lib/iov_iter: fix to increase non slab folio refcount"
Next in thread: Christoph Hellwig: "Re: [PATCH] lib/iov_iter: fix to increase non slab folio refcount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]