On Fri, Jun 14, 2024 at 09:18:56PM +0800, Hillf Danton wrote: > Flush lru cache to avoid folio->mapping uaf in case of inode teardown. What? inodes are supposed to have all their folios removed before being freed. Part of removing a folio sets the folio->mapping to NULL. Where is the report? > Reported-and-tested-by: syzbot+d79afb004be235636ee8@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Hillf Danton <hdanton@xxxxxxxx> > --- > Post for comments because lru_add_drain_all() is too haevy a hammer. > > --- x/mm/truncate.c > +++ y/mm/truncate.c > @@ -419,6 +419,9 @@ void truncate_inode_pages_range(struct a > truncate_folio_batch_exceptionals(mapping, &fbatch, indices); > folio_batch_release(&fbatch); > } > + > + if (mapping_exiting(mapping)) > + lru_add_drain_all(); > } > EXPORT_SYMBOL(truncate_inode_pages_range); > > --
