hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IBGUNQ CVE: NA
--------------------------------
After entering drop_pagecache_sb() during the drop_cache process, the inode reference count is first incremented, then call invalidate_mapping_pages(). One of the parameters passed to this function is inode->i_mapping.
However, if inode->i_mapping holds the i_mapping of another inode, and that other inode has already been released, a UAF issue may occur because the lifecycle of the other inode cannot be guaranteed. This could happen in scenarios such as the bd_acquire->bd_forget process.
By adding relevant filtering conditions to avoid this issue.
Fixes: 9d0243bca345 ("[PATCH] drop-pagecache") Signed-off-by: Zizhi Wo wozizhi@huawei.com --- fs/drop_caches.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/drop_caches.c b/fs/drop_caches.c index dc1a1d5d825b..768a6699a719 100644 --- a/fs/drop_caches.c +++ b/fs/drop_caches.c @@ -35,7 +35,8 @@ static void drop_pagecache_sb(struct super_block *sb, void *unused) spin_unlock(&inode->i_lock); spin_unlock(&sb->s_inode_list_lock);
- invalidate_mapping_pages(inode->i_mapping, 0, -1); + if (!S_ISBLK(inode->i_mode) || sb_is_blkdev_sb(sb)) + invalidate_mapping_pages(inode->i_mapping, 0, -1); iput(toput_inode); toput_inode = inode;