On Tue, Apr 01, 2025 at 03:20:53PM +0100, Matthew Wilcox wrote: > On Tue, Apr 01, 2025 at 10:02:55PM +0800, Sheng Yong wrote: > > When testing EROFS file-backed mount over v9fs on qemu, I encounter > > a folio UAF and page sanity check reports the following call trace. > > Fix it by increasing non slab folio refcount correctly. > > This report needs to say what the problem _is_, which is that pages may > be coalesced across a folio boundary. 9p/virtio also really needs to move away from iov_iter_get_pages_alloc and to iov_iter_extract_pages. That way it properly pins pages for user memory and doesn't do the pointless page reference for kernel iters that triggered this. Of course until all callers are gone this fix is needed, but the caller also needs fixing to use the proper interface. (Same for ceph and nfs)
