[PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix general protection fault in nilfs_lookup_dirty_data

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
@ 2023-09-02 15:10 Ryusuke Konishi
  2023-09-03 12:50 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 2+ messages in thread
From: Ryusuke Konishi @ 2023-09-02 15:10 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman; +Cc: Andrew Morton

commit f83913f8c5b882a312e72b7669762f8a5c9385e4 upstream.

A syzbot stress test reported that create_empty_buffers() called from
nilfs_lookup_dirty_data_buffers() can cause a general protection fault.

Analysis using its reproducer revealed that the back reference "mapping"
from a page/folio has been changed to NULL after dirty page/folio gang
lookup in nilfs_lookup_dirty_data_buffers().

Fix this issue by excluding pages/folios from being collected if, after
acquiring a lock on each page/folio, its back reference "mapping" differs
from the pointer to the address space struct that held the page/folio.

Link: https://lkml.kernel.org/r/20230805132038.6435-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/0000000000002930a705fc32b231@google.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
---
Please apply this patch to the above stable trees instead of the patch
that could not be applied to them.  This patch resolves the conflict
caused by the recent page to folio conversion applied in
nilfs_lookup_dirty_data_buffers().  The general protection fault reported
by syzbot reproduces on these stable kernels before the page/folio
conversion is applied.  This fixes it.

With this tweak, this patch is applicable from v4.15 to v6.2.  Also,
this patch has been tested against the -stable trees of each version in
the subject prefix.

fs/nilfs2/segment.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
index 21e8260112c8..a4a147a983e0 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -725,6 +725,11 @@ static size_t nilfs_lookup_dirty_data_buffers(struct inode *inode,
 		struct page *page = pvec.pages[i];
 
 		lock_page(page);
+		if (unlikely(page->mapping != mapping)) {
+			/* Exclude pages removed from the address space */
+			unlock_page(page);
+			continue;
+		}
 		if (!page_has_buffers(page))
 			create_empty_buffers(page, i_blocksize(inode), 0);
 		unlock_page(page);
-- 
2.39.3


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
  2023-09-02 15:10 [PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() Ryusuke Konishi
@ 2023-09-03 12:50 ` Greg Kroah-Hartman
  0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2023-09-03 12:50 UTC (permalink / raw)
  To: Ryusuke Konishi; +Cc: stable, Andrew Morton

On Sun, Sep 03, 2023 at 12:10:00AM +0900, Ryusuke Konishi wrote:
> commit f83913f8c5b882a312e72b7669762f8a5c9385e4 upstream.
> 
> A syzbot stress test reported that create_empty_buffers() called from
> nilfs_lookup_dirty_data_buffers() can cause a general protection fault.
> 
> Analysis using its reproducer revealed that the back reference "mapping"
> from a page/folio has been changed to NULL after dirty page/folio gang
> lookup in nilfs_lookup_dirty_data_buffers().
> 
> Fix this issue by excluding pages/folios from being collected if, after
> acquiring a lock on each page/folio, its back reference "mapping" differs
> from the pointer to the address space struct that held the page/folio.
> 
> Link: https://lkml.kernel.org/r/20230805132038.6435-1-konishi.ryusuke@gmail.com
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Reported-by: syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com
> Closes: https://lkml.kernel.org/r/0000000000002930a705fc32b231@google.com
> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> ---
> Please apply this patch to the above stable trees instead of the patch
> that could not be applied to them.  This patch resolves the conflict
> caused by the recent page to folio conversion applied in
> nilfs_lookup_dirty_data_buffers().  The general protection fault reported
> by syzbot reproduces on these stable kernels before the page/folio
> conversion is applied.  This fixes it.
> 
> With this tweak, this patch is applicable from v4.15 to v6.2.  Also,
> this patch has been tested against the -stable trees of each version in
> the subject prefix.

Now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-09-03 13:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-02 15:10 [PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() Ryusuke Konishi
2023-09-03 12:50 ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox