From: Sheng Yong <shengyong1@xiaomi.com>

When testing EROFS file-backed mount over v9fs on qemu, I encounter
a folio UAF and page sanity check reports the following call trace.
Fix it by increasing non slab folio refcount correctly.

BUG: Bad page state in process md5sum  pfn:18300
page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300
head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
aops:z_erofs_aops ino:30b0f dentry name(?):"GoogleExtServicesCn.apk"
flags: 0x100000000000041(locked|head|node=0|zone=1)
raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000
head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Call Trace:
 dump_stack_lvl+0x53/0x70
 bad_page+0xd4/0x220
 __free_pages_ok+0x76d/0xf30
 __folio_put+0x230/0x320
 p9_release_pages+0x179/0x1f0
 p9_virtio_zc_request+0xa2a/0x1230
 p9_client_zc_rpc.constprop.0+0x247/0x700
 p9_client_read_once+0x34d/0x810
 p9_client_read+0xf3/0x150
 v9fs_issue_read+0x111/0x360
 netfs_unbuffered_read_iter_locked+0x927/0x1390
 netfs_unbuffered_read_iter+0xa2/0xe0
 vfs_iocb_iter_read+0x2c7/0x460
 erofs_fileio_rq_submit+0x46b/0x5b0
 z_erofs_runqueue+0x1203/0x21e0
 z_erofs_readahead+0x579/0x8b0
 read_pages+0x19f/0xa70
 page_cache_ra_order+0x4ad/0xb80
 filemap_readahead.isra.0+0xe7/0x150
 filemap_get_pages+0x7aa/0x1890
 filemap_read+0x320/0xc80
 vfs_read+0x6c6/0xa30
 ksys_read+0xf9/0x1c0
 do_syscall_64+0x9e/0x1a0
 entry_SYSCALL_64_after_hwframe+0x71/0x79

Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page")
Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
---
 lib/iov_iter.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 8c7fdb7d8c8f..d2ed1a299926 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -1191,8 +1191,7 @@ static ssize_t __iov_iter_get_pages_alloc(struct iov_iter *i,
 			return -ENOMEM;
 		p = *pages;
 		for (int k = 0; k < n; k++) {
-			struct folio *folio = page_folio(page);
-			p[k] = page + k;
+			struct folio *folio = page_folio(p[k] = page + k);
 			if (!folio_test_slab(folio))
 				folio_get(folio);
 		}
-- 
2.43.0

On Tue, Apr 01, 2025 at 10:02:55PM +0800, Sheng Yong wrote:
> When testing EROFS file-backed mount over v9fs on qemu, I encounter
> a folio UAF and page sanity check reports the following call trace.
> Fix it by increasing non slab folio refcount correctly.

This report needs to say what the problem _is_, which is that pages may
be coalesced across a folio boundary.

> +++ b/lib/iov_iter.c
> @@ -1191,8 +1191,7 @@ static ssize_t __iov_iter_get_pages_alloc(struct iov_iter *i,
>  			return -ENOMEM;
>  		p = *pages;
>  		for (int k = 0; k < n; k++) {
> -			struct folio *folio = page_folio(page);
> -			p[k] = page + k;
> +			struct folio *folio = page_folio(p[k] = page + k);

Never write code this ugly.

-			struct folio *folio = page_folio(page);
+			struct folio *folio = page_folio(page + k);
			p[k] = page + k;

is much more readable.

On Tue, Apr 01, 2025 at 03:20:53PM +0100, Matthew Wilcox wrote:
> On Tue, Apr 01, 2025 at 10:02:55PM +0800, Sheng Yong wrote:
> > When testing EROFS file-backed mount over v9fs on qemu, I encounter
> > a folio UAF and page sanity check reports the following call trace.
> > Fix it by increasing non slab folio refcount correctly.
> 
> This report needs to say what the problem _is_, which is that pages may
> be coalesced across a folio boundary.

9p/virtio also really needs to move away from iov_iter_get_pages_alloc
and to iov_iter_extract_pages.  That way it properly pins pages for user
memory and doesn't do the pointless page reference for kernel iters that
triggered this.  Of course until all callers are gone this fix is
needed, but the caller also needs fixing to use the proper interface.

(Same for ceph and nfs)