From c24fe03310345556dbee59b87a33a88b597b0bad Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 24 Jun 2023 16:11:14 +0200 Subject: [PATCH] 4.19-stable patches added patches: nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch --- ...tion-fault-in-nilfs_clear_dirty_page.patch | 56 +++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 57 insertions(+) create mode 100644 queue-4.19/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch diff --git a/queue-4.19/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch b/queue-4.19/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch new file mode 100644 index 00000000000..f1cba1937b5 --- /dev/null +++ b/queue-4.19/nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch @@ -0,0 +1,56 @@ +From 782e53d0c14420858dbf0f8f797973c150d3b6d7 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Mon, 12 Jun 2023 11:14:56 +0900 +Subject: nilfs2: prevent general protection fault in nilfs_clear_dirty_page() + +From: Ryusuke Konishi + +commit 782e53d0c14420858dbf0f8f797973c150d3b6d7 upstream. + +In a syzbot stress test that deliberately causes file system errors on +nilfs2 with a corrupted disk image, it has been reported that +nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a +general protection fault. + +In nilfs_clear_dirty_pages(), when looking up dirty pages from the page +cache and calling nilfs_clear_dirty_page() for each dirty page/folio +retrieved, the back reference from the argument page to "mapping" may have +been changed to NULL (and possibly others). It is necessary to check this +after locking the page/folio. + +So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio +after locking it in nilfs_clear_dirty_pages() if the back reference +"mapping" from the page/folio is different from the "mapping" that held +the page/folio just before. + +Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com +Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com +Tested-by: Ryusuke Konishi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/page.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/nilfs2/page.c ++++ b/fs/nilfs2/page.c +@@ -372,7 +372,15 @@ void nilfs_clear_dirty_pages(struct addr + struct page *page = pvec.pages[i]; + + lock_page(page); +- nilfs_clear_dirty_page(page, silent); ++ ++ /* ++ * This page may have been removed from the address ++ * space by truncation or invalidation when the lock ++ * was acquired. Skip processing in that case. ++ */ ++ if (likely(page->mapping == mapping)) ++ nilfs_clear_dirty_page(page, silent); ++ + unlock_page(page); + } + pagevec_release(&pvec); diff --git a/queue-4.19/series b/queue-4.19/series index 97b4fad9fa2..bbda31db69c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -10,3 +10,4 @@ nilfs2-fix-buffer-corruption-due-to-concurrent-device-reads.patch drivers-hv-vmbus-fix-vmbus_wait_for_unload-to-scan-present-cpus.patch pci-hv-fix-a-race-condition-bug-in-hv_pci_query_relations.patch cgroup-do-not-corrupt-task-iteration-when-rebinding-subsystem.patch +nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch -- 2.47.3