ext4: don't BUG if someone dirty pages without asking ext4 first

stable inclusion from stable-v5.10.110 commit 330d0e44fc5a47c27df958ecdd4693a3cb1d8b81 bugzilla: https://gitee.com/openeuler/kernel/issues/I574AL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=330d0e44fc5a47c27df958ecdd4693a3cb1d8b81 -------------------------------- [ Upstream commit cc509574 ] [un]pin_user_pages_remote is dirtying pages without properly warning the file system in advance. A related race was noted by Jan Kara in 2018[1]; however, more recently instead of it being a very hard-to-hit race, it could be reliably triggered by process_vm_writev(2) which was discovered by Syzbot[2]. This is technically a bug in mm/gup.c, but arguably ext4 is fragile in that if some other kernel subsystem dirty pages without properly notifying the file system using page_mkwrite(), ext4 will BUG, while other file systems will not BUG (although data will still be lost). So instead of crashing with a BUG, issue a warning (since there may be potential data loss) and just mark the page as clean to avoid unprivileged denial of service attacks until the problem can be properly fixed. More discussion and background can be found in the thread starting at [2]. [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz [2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com Reported-by: N Lee Jones <lee.jones@linaro.org> Signed-off-by: N Theodore Ts'o <tytso@mit.edu> Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.eduSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yu Liao <liaoyu15@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

ext4: don't BUG if someone dirty pages without asking ext4 first
stable inclusion from stable-v5.10.110 commit 330d0e44fc5a47c27df958ecdd4693a3cb1d8b81 bugzilla: https://gitee.com/openeuler/kernel/issues/I574AL Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=330d0e44fc5a47c27df958ecdd4693a3cb1d8b81 -------------------------------- [ Upstream commit cc509574 ] [un]pin_user_pages_remote is dirtying pages without properly warning the file system in advance. A related race was noted by Jan Kara in 2018[1]; however, more recently instead of it being a very hard-to-hit race, it could be reliably triggered by process_vm_writev(2) which was discovered by Syzbot[2]. This is technically a bug in mm/gup.c, but arguably ext4 is fragile in that if some other kernel subsystem dirty pages without properly notifying the file system using page_mkwrite(), ext4 will BUG, while other file systems will not BUG (although data will still be lost). So instead of crashing with a BUG, issue a warning (since there may be potential data loss) and just mark the page as clean to avoid unprivileged denial of service attacks until the problem can be properly fixed. More discussion and background can be found in the thread starting at [2]. [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz [2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com Reported-by: N Lee Jones <lee.jones@linaro.org> Signed-off-by: N Theodore Ts'o <tytso@mit.edu> Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.eduSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Yu Liao <liaoyu15@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
0d4372c5 · Theodore Ts'o · Zheng Zengkai · 60a940cd · 0d4372c5
隐藏空白更改
内联并排

Showing with 25 addition and 0 deletion

fs/ext4/inode.c fs/ext4/inode.c +25 -0

未找到文件。
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -2012,6 +2012,15 @@ static int ext4_writepage(struct page *page,
 	else
 		len = PAGE_SIZE;

+	/* Should never happen but for bugs in other kernel subsystems */
+	if (!page_has_buffers(page)) {
+		ext4_warning_inode(inode,
+		   "page %lu does not have buffers attached", page->index);
+		ClearPageDirty(page);
+		unlock_page(page);
+		return 0;
+	}
+
 	page_bufs = page_buffers(page);
 	/*
 	 * We cannot do block allocation or other extent handling in this
@@ -2621,6 +2630,22 @@ static int mpage_prepare_extent_to_map(struct mpage_da_data *mpd)
 			wait_on_page_writeback(page);
 			BUG_ON(PageWriteback(page));

+			/*
+			 * Should never happen but for buggy code in
+			 * other subsystems that call
+			 * set_page_dirty() without properly warning
+			 * the file system first.  See [1] for more
+			 * information.
+			 *
+			 * [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz
+			 */
+			if (!page_has_buffers(page)) {
+				ext4_warning_inode(mpd->inode, "page %lu does not have buffers attached", page->index);
+				ClearPageDirty(page);
+				unlock_page(page);
+				continue;
+			}
+
 			if (mpd->map.m_len == 0)
 				mpd->first_page = page->index;
 			mpd->next_page = page->index + 1;