[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240213140933.632481-1-r.smirnov@omp.ru>
Date: Tue, 13 Feb 2024 14:09:32 +0000
From: Roman Smirnov <r.smirnov@....ru>
To: <stable@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC: Roman Smirnov <r.smirnov@....ru>, "Matthew Wilcox (Oracle)"
<willy@...radead.org>, Andrew Morton <akpm@...ux-foundation.org>, Alexey
Khoroshilov <khoroshilov@...ras.ru>, Sergey Shtylyov <s.shtylyov@....ru>,
Karina Yankevich <k.yankevich@....ru>, <lvc-project@...uxtesting.org>,
<linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<linux-mm@...ck.org>
Subject: [PATCH 5.10/5.15 v2 0/1 RESEND] mm/truncate: fix WARNING in ext4_set_page_dirty()
Syzkaller reports warning in ext4_set_page_dirty() in 5.10 and 5.15
stable releases. It happens because invalidate_inode_page() frees pages
that are needed for the system. To fix this we need to add additional
checks to the function. page_mapped() checks if a page exists in the
page tables, but this is not enough. The page can be used in other places:
https://elixir.bootlin.com/linux/v6.8-rc1/source/include/linux/page_ref.h#L71
Kernel outputs an error line related to direct I/O:
https://syzkaller.appspot.com/text?tag=CrashLog&x=14ab52dac80000
The problem can be fixed in 5.10 and 5.15 stable releases by the
following patch.
The patch replaces page_mapped() call with check that finds additional
references to the page excluding page cache and filesystem private data.
If additional references exist, the page cannot be freed.
This version does not include the first patch from the first version.
The problem can be fixed without it.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Link: https://syzkaller.appspot.com/bug?extid=02f21431b65c214aa1d6
Previous discussion:
https://lore.kernel.org/all/20240125130947.600632-1-r.smirnov@omp.ru/T/
Matthew Wilcox (Oracle) (1):
mm/truncate: Replace page_mapped() call in invalidate_inode_page()
mm/truncate.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
2.34.1
Powered by blists - more mailing lists