git.proxmox.com Git - mirror_ubuntu-kernels.git/commit

author	Ryusuke Konishi <konishi.ryusuke@gmail.com>
	Sat, 5 Aug 2023 13:20:38 +0000 (22:20 +0900)
committer	Stefan Bader <stefan.bader@canonical.com>
	Mon, 30 Oct 2023 11:00:33 +0000 (12:00 +0100)
commit	e8b5aa7b6aa2d65812d3b8ce7b1a4a76a562d4fc
tree	8fadc3d2f56b5b1f6facf101f4715d780dc5efbe	tree
parent	209aa0458a93be8c2c9c11e96af0c29c85264193	commit \| diff

nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()

BugLink: https://bugs.launchpad.net/bugs/2039884
commit f83913f8c5b882a312e72b7669762f8a5c9385e4 upstream.

A syzbot stress test reported that create_empty_buffers() called from
nilfs_lookup_dirty_data_buffers() can cause a general protection fault.

Analysis using its reproducer revealed that the back reference "mapping"
from a page/folio has been changed to NULL after dirty page/folio gang
lookup in nilfs_lookup_dirty_data_buffers().

Fix this issue by excluding pages/folios from being collected if, after
acquiring a lock on each page/folio, its back reference "mapping" differs
from the pointer to the address space struct that held the page/folio.

Link: https://lkml.kernel.org/r/20230805132038.6435-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+0ad741797f4565e7e2d2@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/0000000000002930a705fc32b231@google.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>