linux/fs
Chen Zhongjin 512c5ca01a nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty
When extending segments, nilfs_sufile_alloc() is called to get an
unassigned segment, then mark it as dirty to avoid accidentally allocating
the same segment in the future.

But for some special cases such as a corrupted image it can be unreliable.
If such corruption of the dirty state of the segment occurs, nilfs2 may
reallocate a segment that is in use and pick the same segment for writing
twice at the same time.

This will cause the problem reported by syzkaller:
https://syzkaller.appspot.com/bug?id=c7c4748e11ffcc367cef04f76e02e931833cbd24

This case started with segbuf1.segnum = 3, nextnum = 4 when constructed. 
It supposed segment 4 has already been allocated and marked as dirty.

However the dirty state was corrupted and segment 4 usage was not dirty. 
For the first time nilfs_segctor_extend_segments() segment 4 was allocated
again, which made segbuf2 and next segbuf3 had same segment 4.

sb_getblk() will get same bh for segbuf2 and segbuf3, and this bh is added
to both buffer lists of two segbuf.  It makes the lists broken which
causes NULL pointer dereference.

Fix the problem by setting usage as dirty every time in
nilfs_sufile_mark_dirty(), which is called during constructing current
segment to be written out and before allocating next segment.

[chenzhongjin@huawei.com: add lock protection per Ryusuke]
  Link: https://lkml.kernel.org/r/20221121091141.214703-1-chenzhongjin@huawei.com
Link: https://lkml.kernel.org/r/20221118063304.140187-1-chenzhongjin@huawei.com
Fixes: 9ff05123e3 ("nilfs2: segment constructor")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Reported-by: <syzbot+77e4f0...@syzkaller.appspotmail.com>
Reported-by: Liu Shixin <liushixin2@huawei.com>
Acked-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2022-11-22 18:50:45 -08:00
..
9p 9p: Fix some kernel-doc comments 2022-07-02 18:52:21 +09:00
adfs fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
affs affs: move from strlcpy with unused retval to strscpy 2022-08-19 13:03:10 +02:00
afs struct file-related stuff 2022-10-06 17:13:18 -07:00
autofs autofs: remove unused ino field inode 2022-07-17 17:31:42 -07:00
befs befs: Convert befs_symlink_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
bfs fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
btrfs fs: fix leaked psi pressure state 2022-11-08 15:57:25 -08:00
cachefiles cachefiles: use vfs_tmpfile_open() helper 2022-09-24 07:00:00 +02:00
ceph Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
cifs cifs: fix use-after-free on the link name 2022-11-04 23:36:54 -05:00
coda coda: Convert coda_symlink_filler() to use a folio 2022-08-02 12:34:03 -04:00
configfs
cramfs cramfs: read_mapping_page() is synchronous 2022-08-02 12:34:02 -04:00
crypto fscrypt: fix keyring memory leak on mount failure 2022-10-19 20:54:43 -07:00
debugfs debugfs: use DEFINE_SHOW_ATTRIBUTE to define debugfs_regset32_fops 2022-09-24 15:00:48 +02:00
devpts
dlm Networking changes for 6.1. 2022-10-04 13:38:03 -07:00
ecryptfs whack-a-mole: constifying struct path * 2022-10-06 17:31:02 -07:00
efivarfs efi: efivars: Fix variable writes without query_variable_store() 2022-10-21 11:09:40 +02:00
efs efs: Convert efs symlinks to read_folio 2022-05-09 16:21:45 -04:00
erofs fs: fix leaked psi pressure state 2022-11-08 15:57:25 -08:00
exfat treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
exportfs Change calling conventions for filldir_t 2022-08-17 17:25:04 -04:00
ext2 treewide: use prandom_u32_max() when possible, part 2 2022-10-11 17:42:58 -06:00
ext4 Fix a number of bug fixes, including some regressions, the most 2022-11-06 10:30:29 -08:00
f2fs Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
fat treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
freevxfs freevxfs: Convert vxfs_immed_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
fscache fscache: add tracepoint when failing cookie 2022-08-09 14:13:59 +01:00
fuse fuse: add file_modified() to fallocate 2022-10-28 14:25:20 +02:00
gfs2 gfs2 debugfs improvements 2022-10-10 20:13:22 -07:00
hfs hfs: replace kmap() with kmap_local_page() in btree.c 2022-09-11 21:55:09 -07:00
hfsplus hfsplus: convert kmap() to kmap_local_page() in btree.c 2022-09-11 21:55:05 -07:00
hostfs hostfs: move from strlcpy with unused retval to strscpy 2022-09-19 22:46:25 +02:00
hpfs hpfs: Convert symlinks to read_folio 2022-05-09 16:21:45 -04:00
hugetlbfs hugetlbfs: don't delete error page from pagecache 2022-11-08 15:57:22 -08:00
iomap iomap: add a tracepoint for mappings returned by map_blocks 2022-10-02 11:42:19 -07:00
isofs - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
jbd2 - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
jffs2 mtd: always initialize 'stats' in struct mtd_oob_ops 2022-09-21 10:38:07 +02:00
jfs Folio changes for 6.0 2022-08-03 10:35:43 -07:00
kernfs kernfs: fix use-after-free in __kernfs_remove 2022-09-24 13:52:27 +02:00
ksmbd 24 ksmbd server fixes 2022-10-07 08:19:26 -07:00
lockd SUNRPC: Parametrize how much of argsize should be zeroed 2022-09-26 14:02:42 -04:00
minix vfs: open inside ->tmpfile() 2022-09-24 07:00:00 +02:00
netfs netfs: do not unlock and put the folio twice 2022-07-14 10:10:12 +02:00
nfs nfs4: Fix kmemleak when allocate slot failed 2022-10-27 15:52:11 -04:00
nfs_common
nfsd Fixes: 2022-11-01 15:05:03 -07:00
nilfs2 nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty 2022-11-22 18:50:45 -08:00
nls
notify Merge tag 'fsnotify-for_v6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs 2022-10-07 08:28:50 -07:00
ntfs - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
ntfs3 treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
ocfs2 ocfs2: clear dinode links count in case of error 2022-10-20 21:27:22 -07:00
omfs fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
openpromfs fs: allocate inode by using alloc_inode_sb() 2022-03-22 15:57:03 -07:00
orangefs Orangefs: change iterate to iterate_shared 2022-10-13 09:56:14 -07:00
overlayfs tmpfile API change 2022-10-10 19:45:17 -07:00
proc proc/meminfo: fix spacing in SecPageTables 2022-11-22 18:50:44 -08:00
pstore Revert "pstore: migrate to crypto acomp interface" 2022-09-30 08:16:06 -07:00
qnx4 fs: Convert block_read_full_page() to block_read_full_folio() 2022-05-09 16:21:44 -04:00
qnx6 fs/qnx6: delete unnecessary checks before brelse() 2022-09-11 21:55:07 -07:00
quota quota: Add more checking after reading from quota file 2022-09-29 15:37:30 +02:00
ramfs tmpfile API change 2022-10-10 19:45:17 -07:00
reiserfs - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
romfs romfs: Convert romfs to read_folio 2022-05-09 16:21:46 -04:00
smbfs_common smb3: define missing create contexts 2022-10-05 01:55:27 -05:00
squashfs squashfs: fix buffer release race condition in readahead code 2022-10-28 13:37:21 -07:00
sysfs kobject: kobj_type: remove default_attrs 2022-04-05 15:39:19 +02:00
sysv Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
tracefs tracefs: Only clobber mode/uid/gid on remount if asked 2022-09-08 17:10:54 -04:00
ubifs Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
udf tmpfile API change 2022-10-10 19:45:17 -07:00
ufs ufs: replace ll_rw_block() 2022-09-11 20:26:07 -07:00
unicode
vboxsf vboxsf: Convert vboxsf to read_folio 2022-05-09 16:21:46 -04:00
verity for-6.1-tag 2022-10-06 17:36:48 -07:00
xfs xfs: rename XFS_REFC_COW_START to _COWFLAG 2022-10-31 08:58:22 -07:00
zonefs New code for 6.0: 2022-08-11 13:11:49 -07:00
aio.c aio: use atomic_try_cmpxchg in __get_reqs_available 2022-09-11 21:55:08 -07:00
anon_inodes.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
attr.c vfs: Check the truncate maximum size in inode_newsize_ok() 2022-08-08 10:39:29 -07:00
bad_inode.c vfs: open inside ->tmpfile() 2022-09-24 07:00:00 +02:00
binfmt_elf_fdpic.c
binfmt_elf_test.c
binfmt_elf.c fs/binfmt_elf: Fix memory leak in load_elf_binary() 2022-10-25 15:11:21 -07:00
binfmt_flat.c binfmt_flat: Remove shared library support 2022-04-22 10:57:18 -07:00
binfmt_misc.c
binfmt_script.c
buffer.c - hfs and hfsplus kmap API modernization from Fabio Francesco 2022-10-12 11:00:22 -07:00
char_dev.c
compat_binfmt_elf.c
coredump.c - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
d_path.c d_path.c: typo fix... 2022-08-20 11:34:33 -04:00
dax.c Merge branch 'for-6.0/dax' into libnvdimm-fixes 2022-09-24 18:14:12 -07:00
dcache.c tmpfile API change 2022-10-10 19:45:17 -07:00
direct-io.c block: remove PSI accounting from the bio layer 2022-09-20 08:24:38 -06:00
drop_caches.c
eventfd.c eventfd: guard wake_up in eventfd fs calls as well 2022-09-21 10:30:42 -06:00
eventpoll.c epoll: use try_cmpxchg in list_add_tail_lockless 2022-09-11 21:55:07 -07:00
exec.c 23 hotfixes. 2022-10-29 17:49:33 -07:00
fcntl.c keep iocb_flags() result cached in struct file 2022-06-10 16:10:23 -04:00
fhandle.c do_sys_name_to_handle(): constify path 2022-09-01 17:36:39 -04:00
file_table.c locks: fix TOCTOU race when granting write lease 2022-08-16 10:59:54 -04:00
file.c gfs2: Add glockfd debugfs file 2022-06-29 13:07:16 +02:00
filesystems.c
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE 2022-09-29 23:02:00 -04:00
fsopen.c uninline may_mount() and don't opencode it in fspick(2)/fsopen(2) 2022-05-19 23:25:10 -04:00
init.c
inode.c saner inode_init_always() 2022-10-06 16:49:00 -07:00
internal.h whack-a-mole: constifying struct path * 2022-10-06 17:31:02 -07:00
ioctl.c Fixes for 5.18-rc1: 2022-04-01 19:35:56 -07:00
Kconfig hugetlb: make hugetlb depends on SYSFS or SYSCTL 2022-09-11 20:26:10 -07:00
Kconfig.binfmt Xtensa updates for v6.1 2022-10-10 14:21:11 -07:00
kernel_read_file.c fs/kernel_read_file: allow to read files up-to ssize_t 2022-06-16 19:58:21 -07:00
libfs.c fs: uninline inode_maybe_inc_iversion() 2022-10-03 14:21:43 -07:00
locks.c locks: Fix dropped call to ->fl_release_private() 2022-08-17 15:08:58 -04:00
Makefile a.out: Remove the a.out implementation 2022-09-27 07:11:02 -07:00
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2022-09-30 23:46:52 -04:00
mount.h switch try_to_unlazy_next() to __legitimize_mnt() 2022-07-05 16:18:21 -04:00
mpage.c Folio changes for 6.0 2022-08-03 10:35:43 -07:00
namei.c tmpfile API change 2022-10-10 19:45:17 -07:00
namespace.c fs: require CAP_SYS_ADMIN in target namespace for idmapped mounts 2022-08-17 11:27:11 +02:00
no-block.c
nsfs.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
open.c struct file-related stuff 2022-10-06 17:13:18 -07:00
pipe.c dynamic_dname(): drop unused dentry argument 2022-08-20 11:34:04 -04:00
pnode.c
pnode.h
posix_acl.c - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
proc_namespace.c vfs: escape hash as well 2022-06-28 13:58:05 -04:00
read_write.c [coredump] don't use __kernel_write() on kmap_local_page() 2022-09-28 14:28:40 -04:00
readdir.c Change calling conventions for filldir_t 2022-08-17 17:25:04 -04:00
remap_range.c - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
select.c
seq_file.c rxrpc: Fix locking issue 2022-05-22 21:03:01 +01:00
signalfd.c
splice.c iter_to_pipe(): switch to advancing variant of iov_iter_get_pages() 2022-08-08 22:37:23 -04:00
stack.c
stat.c vfs: support STATX_DIOALIGN on block devices 2022-09-11 19:47:12 -05:00
statfs.c
super.c fscrypt: fix keyring memory leak on mount failure 2022-10-19 20:54:43 -07:00
sync.c riscv: compat: syscall: Add compat_sys_call_table implementation 2022-04-26 13:36:25 -07:00
sysctls.c
timerfd.c
userfaultfd.c - Yu Zhao's Multi-Gen LRU patches are here. They've been under test in 2022-10-10 17:53:04 -07:00
utimes.c
xattr.c xattr: always us is_posix_acl_xattr() helper 2022-09-21 12:01:29 +02:00