Commit b45a4374 authored Jan 10, 2025 by Zizhi Wo

fs: Filter specific inodes to prevent UAF issues

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBGUNQ


CVE: NA

--------------------------------

After entering drop_pagecache_sb() during the drop_cache process, the inode
reference count is first incremented, then call invalidate_mapping_pages().
One of the parameters passed to this function is inode->i_mapping.

However, if inode->i_mapping holds the i_mapping of another inode, and that
other inode has already been released, a UAF issue may occur because the
lifecycle of the other inode cannot be guaranteed. This could happen in
scenarios such as the bd_acquire->bd_forget process.

By adding relevant filtering conditions to avoid this issue.

Fixes: 9d0243bc ("[PATCH] drop-pagecache")
Signed-off-by: Zizhi Wo <wozizhi@huawei.com>

parent 6aa478cf

fs/dirty_pages.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -120,6 +120,7 @@ static void dump_dirtypages_sb(struct super_block sb, struct seq_file m)

		spin_lock(&sb->s_inode_list_lock);
		list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
		nr_dirtys = 0;
		spin_lock(&inode->i_lock);

		/*
		@@ -138,6 +139,7 @@ static void dump_dirtypages_sb(struct super_block sb, struct seq_file m)

		cond_resched();

		if (!S_ISBLK(inode->i_mode) \|\| sb_is_blkdev_sb(sb))
		nr_dirtys = dump_dirtypages_inode(inode);
		if (!nr_dirtys \|\| nr_dirtys < limit)
		goto skip;

fs/drop_caches.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -35,6 +35,7 @@ static void drop_pagecache_sb(struct super_block sb, void unused)
		spin_unlock(&inode->i_lock);
		spin_unlock(&sb->s_inode_list_lock);

		if (!S_ISBLK(inode->i_mode) \|\| sb_is_blkdev_sb(sb))
		invalidate_mapping_pages(inode->i_mapping, 0, -1);
		iput(toput_inode);
		toput_inode = inode;