From: Ryusuke Konishi Date: Sat, 5 Aug 2023 13:20:38 +0000 (+0900) Subject: nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() X-Git-Tag: v4.14.326~176 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4e9e1a996451de13c585122bebc1c18149c29ec;p=thirdparty%2Fkernel%2Fstable.git nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() commit f83913f8c5b882a312e72b7669762f8a5c9385e4 upstream. A syzbot stress test reported that create_empty_buffers() called from nilfs_lookup_dirty_data_buffers() can cause a general protection fault. Analysis using its reproducer revealed that the back reference "mapping" from a page/folio has been changed to NULL after dirty page/folio gang lookup in nilfs_lookup_dirty_data_buffers(). Fix this issue by excluding pages/folios from being collected if, after acquiring a lock on each page/folio, its back reference "mapping" differs from the pointer to the address space struct that held the page/folio. Link: https://lkml.kernel.org/r/20230805132038.6435-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com Closes: https://lkml.kernel.org/r/0000000000002930a705fc32b231@google.com Tested-by: Ryusuke Konishi Cc: Signed-off-by: Andrew Morton Signed-off-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman --- diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index f4215dbaca0d0..ca4b1675c1475 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -743,6 +743,11 @@ static size_t nilfs_lookup_dirty_data_buffers(struct inode *inode, break; lock_page(page); + if (unlikely(page->mapping != mapping)) { + /* Exclude pages removed from the address space */ + unlock_page(page); + continue; + } if (!page_has_buffers(page)) create_empty_buffers(page, i_blocksize(inode), 0); unlock_page(page);