Patch "f2fs: compress: fix to avoid use-after-free on dic" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 10 Nov 2023 13:09:07 -0500

This is a note to let you know that I've just added the patch titled

    f2fs: compress: fix to avoid use-after-free on dic

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     f2fs-compress-fix-to-avoid-use-after-free-on-dic.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 776d288c1ee24908d60507e549de1044dbc0bd79
Author: Chao Yu <chao@xxxxxxxxxx>
Date:   Mon Aug 28 22:04:15 2023 +0800

    f2fs: compress: fix to avoid use-after-free on dic
    
    [ Upstream commit b0327c84e91a0f4f0abced8cb83ec86a7083f086 ]
    
    Call trace:
     __memcpy+0x128/0x250
     f2fs_read_multi_pages+0x940/0xf7c
     f2fs_mpage_readpages+0x5a8/0x624
     f2fs_readahead+0x5c/0x110
     page_cache_ra_unbounded+0x1b8/0x590
     do_sync_mmap_readahead+0x1dc/0x2e4
     filemap_fault+0x254/0xa8c
     f2fs_filemap_fault+0x2c/0x104
     __do_fault+0x7c/0x238
     do_handle_mm_fault+0x11bc/0x2d14
     do_mem_abort+0x3a8/0x1004
     el0_da+0x3c/0xa0
     el0t_64_sync_handler+0xc4/0xec
     el0t_64_sync+0x1b4/0x1b8
    
    In f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if
    we hit cached page in compress_inode's cache, dic may be released, it needs
    break the loop rather than continuing it, in order to avoid accessing
    invalid dic pointer.
    
    Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks")
    Signed-off-by: Chao Yu <chao@xxxxxxxxxx>
    Signed-off-by: Jaegeuk Kim <jaegeuk@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index 3f33e14dc7f81..1ac34eb49a0e8 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -2344,8 +2344,10 @@ int f2fs_read_multi_pages(struct compress_ctx *cc, struct bio **bio_ret,
 		f2fs_wait_on_block_writeback(inode, blkaddr);
 
 		if (f2fs_load_compressed_page(sbi, page, blkaddr)) {
-			if (atomic_dec_and_test(&dic->remaining_pages))
+			if (atomic_dec_and_test(&dic->remaining_pages)) {
 				f2fs_decompress_cluster(dic, true);
+				break;
+			}
 			continue;
 		}
 






