www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Yu Kuai <yukuai3@huawei.com>
	Tue, 6 May 2025 06:17:54 +0000 (14:17 +0800)
committer	Jens Axboe <axboe@kernel.dk>
	Tue, 6 May 2025 13:42:27 +0000 (07:42 -0600)
commit	0e8acffc1be10d53e909b3aa43831d6c2d25a579
tree	53a16aafb145eb11c6431d1fadcf676d483aa86b	tree
parent	e96ee7e1deaa74c5cc80ab03b51943ece5809984	commit \| diff

brd: protect page with rcu

Currently, after fetching the page by xa_load() in IO path, there is no
protection and page can be freed concurrently by discard:

cpu0
brd_submit_bio
brd_do_bvec
  page = brd_lookup_page
                          cpu1
                          brd_submit_bio
                           brd_do_discard
                            page = __xa_erase()
                            __free_page()
  // page UAF

Fix the problem by protecting page with rcu.

Meanwhile, if page is already freed, also prevent BUG_ON() by skipping
the write, and user will get zero data later if there is no page.

Fixes: 9ead7efc6f3f ("brd: implement discard support")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250506061756.2970934-2-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>