Patch "nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()" has been added to the 4.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 03 Sep 2023 14:58:38 +0200

This is a note to let you know that I've just added the patch titled

    nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nilfs2-fix-general-protection-fault-in-nilfs_lookup_dirty_data_buffers.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From f83913f8c5b882a312e72b7669762f8a5c9385e4 Mon Sep 17 00:00:00 2001
From: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx>
Date: Sat, 5 Aug 2023 22:20:38 +0900
Subject: nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()

From: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx>

commit f83913f8c5b882a312e72b7669762f8a5c9385e4 upstream.

A syzbot stress test reported that create_empty_buffers() called from
nilfs_lookup_dirty_data_buffers() can cause a general protection fault.

Analysis using its reproducer revealed that the back reference "mapping"
from a page/folio has been changed to NULL after dirty page/folio gang
lookup in nilfs_lookup_dirty_data_buffers().

Fix this issue by excluding pages/folios from being collected if, after
acquiring a lock on each page/folio, its back reference "mapping" differs
from the pointer to the address space struct that held the page/folio.

Link: https://lkml.kernel.org/r/20230805132038.6435-1-konishi.ryusuke@xxxxxxxxx
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx>
Reported-by: syzbot+0ad741797f4565e7e2d2@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lkml.kernel.org/r/0000000000002930a705fc32b231@xxxxxxxxxx
Tested-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/nilfs2/segment.c | 5 +++++
 fs/nilfs2/segment.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -743,6 +743,11 @@ static size_t nilfs_lookup_dirty_data_bu
 			break;
 
 		lock_page(page);
+		if (unlikely(page->mapping != mapping)) {
+			/* Exclude pages removed from the address space */
+			unlock_page(page);
+			continue;
+		}
 		if (!page_has_buffers(page))
 			create_empty_buffers(page, i_blocksize(inode), 0);
 		unlock_page(page);


Patches currently in stable-queue which might be from konishi.ryusuke@xxxxxxxxx are

queue-4.14/nilfs2-fix-general-protection-fault-in-nilfs_lookup_dirty_data_buffers.patch
queue-4.14/nilfs2-fix-warning-in-mark_buffer_dirty-due-to-discarded-buffer-reuse.patch






