FAILED: patch "[PATCH] nilfs2: prevent general protection fault in" failed to apply to 6.1-stable tree

FAILED: patch "[PATCH] nilfs2: prevent general protection fault in" failed to apply to 6.1-stable tree

[gregkh]

The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

To reproduce the conflict and resubmit, you may use the following commands:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 782e53d0c14420858dbf0f8f797973c150d3b6d7
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2023062316-swooned-scurvy-040f@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..

Possible dependencies:



thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 782e53d0c14420858dbf0f8f797973c150d3b6d7 Mon Sep 17 00:00:00 2001
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date: Mon, 12 Jun 2023 11:14:56 +0900
Subject: [PATCH] nilfs2: prevent general protection fault in
 nilfs_clear_dirty_page()

In a syzbot stress test that deliberately causes file system errors on
nilfs2 with a corrupted disk image, it has been reported that
nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a
general protection fault.

In nilfs_clear_dirty_pages(), when looking up dirty pages from the page
cache and calling nilfs_clear_dirty_page() for each dirty page/folio
retrieved, the back reference from the argument page to "mapping" may have
been changed to NULL (and possibly others).  It is necessary to check this
after locking the page/folio.

So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio
after locking it in nilfs_clear_dirty_pages() if the back reference
"mapping" from the page/folio is different from the "mapping" that held
the page/folio just before.

Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
index 5cf30827f244..b4e54d079b7d 100644
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -370,7 +370,15 @@ void nilfs_clear_dirty_pages(struct address_space *mapping, bool silent)
 			struct folio *folio = fbatch.folios[i];
 
 			folio_lock(folio);
-			nilfs_clear_dirty_page(&folio->page, silent);
+
+			/*
+			 * This folio may have been removed from the address
+			 * space by truncation or invalidation when the lock
+			 * was acquired.  Skip processing in that case.
+			 */
+			if (likely(folio->mapping == mapping))
+				nilfs_clear_dirty_page(&folio->page, silent);
+
 			folio_unlock(folio);
 		}
 		folio_batch_release(&fbatch);

[PATCH 4.14 4.19 5.4 5.10 5.15 6.1] nilfs2: prevent general protection fault in nilfs_clear_dirty_page()

[Ryusuke Konishi]

commit 782e53d0c14420858dbf0f8f797973c150d3b6d7 upstream.

In a syzbot stress test that deliberately causes file system errors on
nilfs2 with a corrupted disk image, it has been reported that
nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a
general protection fault.

In nilfs_clear_dirty_pages(), when looking up dirty pages from the page
cache and calling nilfs_clear_dirty_page() for each dirty page/folio
retrieved, the back reference from the argument page to "mapping" may have
been changed to NULL (and possibly others).  It is necessary to check this
after locking the page/folio.

So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio
after locking it in nilfs_clear_dirty_pages() if the back reference
"mapping" from the page/folio is different from the "mapping" that held
the page/folio just before.

Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
---
Please apply this patch to the above stable trees instead of the patch
that could not be applied to them.  This patch resolves the conflict
caused by the recent page to folio conversion applied in
nilfs_clear_dirty_pages().  The general protection fault reported by
syzbot reproduces on these stable kernels before the page/folio
conversion is applied.  This fixes it.

With this tweak, this patch is applicable from v3.10 to v6.2.  Also,
this patch has been tested against the -stable trees of each version in
the subject prefix.

 fs/nilfs2/page.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
index 39b7eea2642a..7d31833e68d1 100644
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -369,7 +369,15 @@ void nilfs_clear_dirty_pages(struct address_space *mapping, bool silent)
 			struct page *page = pvec.pages[i];
 
 			lock_page(page);
-			nilfs_clear_dirty_page(page, silent);
+
+			/*
+			 * This page may have been removed from the address
+			 * space by truncation or invalidation when the lock
+			 * was acquired.  Skip processing in that case.
+			 */
+			if (likely(page->mapping == mapping))
+				nilfs_clear_dirty_page(page, silent);
+
 			unlock_page(page);
 		}
 		pagevec_release(&pvec);
-- 
2.39.3

Re: [PATCH 4.14 4.19 5.4 5.10 5.15 6.1] nilfs2: prevent general protection fault in nilfs_clear_dirty_page()

[Greg Kroah-Hartman]

On Sat, Jun 24, 2023 at 01:18:02PM +0900, Ryusuke Konishi wrote:
> commit 782e53d0c14420858dbf0f8f797973c150d3b6d7 upstream.
> 
> In a syzbot stress test that deliberately causes file system errors on
> nilfs2 with a corrupted disk image, it has been reported that
> nilfs_clear_dirty_page() called from nilfs_clear_dirty_pages() can cause a
> general protection fault.
> 
> In nilfs_clear_dirty_pages(), when looking up dirty pages from the page
> cache and calling nilfs_clear_dirty_page() for each dirty page/folio
> retrieved, the back reference from the argument page to "mapping" may have
> been changed to NULL (and possibly others).  It is necessary to check this
> after locking the page/folio.
> 
> So, fix this issue by not calling nilfs_clear_dirty_page() on a page/folio
> after locking it in nilfs_clear_dirty_pages() if the back reference
> "mapping" from the page/folio is different from the "mapping" that held
> the page/folio just before.
> 
> Link: https://lkml.kernel.org/r/20230612021456.3682-1-konishi.ryusuke@gmail.com
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Reported-by: syzbot+53369d11851d8f26735c@syzkaller.appspotmail.com
> Closes: https://lkml.kernel.org/r/000000000000da4f6b05eb9bf593@google.com
> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> ---
> Please apply this patch to the above stable trees instead of the patch
> that could not be applied to them.  This patch resolves the conflict
> caused by the recent page to folio conversion applied in
> nilfs_clear_dirty_pages().  The general protection fault reported by
> syzbot reproduces on these stable kernels before the page/folio
> conversion is applied.  This fixes it.
> 
> With this tweak, this patch is applicable from v3.10 to v6.2.  Also,
> this patch has been tested against the -stable trees of each version in
> the subject prefix.

Now queued up, thanks.

greg k-h