4.19-stable patches

added patches:
	nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch

diff --git a/queue-4.19/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch b/queue-4.19/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch
new file mode 100644 (file)
index 0000000..f1cba19
--- /dev/null
+++ b/queue-4.19/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch
@@ -0,0 +1,56 @@
+From 782e53d0c14420858dbf0f8f797973c150d3b6d7 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Mon, 12 Jun 2023 11:14:56 +0900
+Subject: nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 782e53d0c14420858dbf0f8f797973c150d3b6d7 upstream.
+
+In a syzbot stress test that deliberately causes file system errors on
+nilfs2 with a corrupted disk image, it has been reported that
+nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a
+general protection fault.
+
+In nilfs_clear_dirty_pages(), when looking up dirty pages from the page
+cache and calling nilfs_clear_dirty_page() for each dirty page/folio
+retrieved, the back reference from the argument page to "mapping" may have
+been changed to NULL (and possibly others).  It is necessary to check this
+after locking the page/folio.
+
+So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio
+after locking it in nilfs_clear_dirty_pages() if the back reference
+"mapping" from the page/folio is different from the "mapping" that held
+the page/folio just before.
+
+Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com
+Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/page.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/fs/nilfs2/page.c
++++ b/fs/nilfs2/page.c
+@@ -372,7 +372,15 @@ void nilfs_clear_dirty_pages(struct addr
+                       struct page *page = pvec.pages[i];
+ 
+                       lock_page(page);
+-                      nilfs_clear_dirty_page(page, silent);
++
++                      /*
++                       * This page may have been removed from the address
++                       * space by truncation or invalidation when the lock
++                       * was acquired.  Skip processing in that case.
++                       */
++                      if (likely(page->mapping == mapping))
++                              nilfs_clear_dirty_page(page, silent);
++
+                       unlock_page(page);
+               }
+               pagevec_release(&pvec);

diff --git a/queue-4.19/series b/queue-4.19/series
index 97b4fad9fa20baba2c8d1b94b2d0deb678b2a187..bbda31db69c9ce290f2ef4aac4fbe158d6539dfd 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -10,3 +10,4 @@ nilfs2-fix-buffer-corruption-due-to-concurrent-device-reads.patch
 drivers-hv-vmbus-fix-vmbus_wait_for_unload-to-scan-present-cpus.patch
 pci-hv-fix-a-race-condition-bug-in-hv_pci_query_relations.patch
 cgroup-do-not-corrupt-task-iteration-when-rebinding-subsystem.patch
+nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch