iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,048,020 Commits 104 Branches 1,843 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Zhang Yi e58742f46a ext4: fix an use-after-free issue about data=journal writeback mode 
commit 5c48a7df91499e371ef725895b2e2d21a126e227 upstream.

Our syzkaller report an use-after-free issue that accessing the freed
buffer_head on the writeback page in __ext4_journalled_writepage(). The
problem is that if there was a truncate racing with the data=journalled
writeback procedure, the writeback length could become zero and
bget_one() refuse to get buffer_head's refcount, then the truncate
procedure release buffer once we drop page lock, finally, the last
ext4_walk_page_buffers() trigger the use-after-free problem.

sync                               truncate
ext4_sync_file()
 file_write_and_wait_range()
                                   ext4_setattr(0)
                                    inode->i_size = 0
  ext4_writepage()
   len = 0
   __ext4_journalled_writepage()
    page_bufs = page_buffers(page)
    ext4_walk_page_buffers(bget_one) <- does not get refcount
                                    do_invalidatepage()
                                      free_buffer_head()
    ext4_walk_page_buffers(page_bufs) <- trigger use-after-free

After commit bdf96838aea6 ("ext4: fix race between truncate and
__ext4_journalled_writepage()"), we have already handled the racing
case, so the bget_one() and bput_one() are not needed. So this patch
simply remove these hunk, and recheck the i_size to make it safe.

Fixes: bdf96838aea6 ("ext4: fix race between truncate and __ext4_journalled_writepage()")
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211225090937.712867-1-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-01-27 11:05:18 +01:00
arch
powerpc/64s/radix: Fix huge vmap false positive
2022-01-27 11:05:12 +01:00
block
block: check minor range in device_add_disk()
2022-01-27 11:04:48 +01:00
certs
certs: Add support for using elliptic curve keys for signing modules
2021-08-23 19:55:42 +03:00
crypto
crypto: jitter - consider 32 LSB for APT
2022-01-27 11:04:31 +01:00
Documentation
HID: i2c-hid-of: Expose the touchscreen-inverted properties
2022-01-27 11:04:41 +01:00
drivers
PCI: pci-bridge-emul: Set PCI_STATUS_CAP_LIST for PCIe device
2022-01-27 11:05:14 +01:00
fs
ext4: fix an use-after-free issue about data=journal writeback mode
2022-01-27 11:05:18 +01:00
include
xfrm: fix dflt policy check when there is no policy configured
2022-01-27 11:05:14 +01:00
init
init: make unknown command line param message clearer
2021-11-18 19:17:11 +01:00
ipc
shm: extend forced shm destroy to support objects from several IPC nses
2021-11-25 09:48:42 +01:00
kernel
tracing: Have syscall trace events use trace_event_buffer_lock_reserve()
2022-01-27 11:05:09 +01:00
lib
kunit: Don't crash if no parameters are generated
2022-01-27 11:04:40 +01:00
LICENSES
LICENSES/dual/CC-BY-4.0: Git rid of "smart quotes"
2021-07-15 06:31:24 -06:00
mm
shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode
2022-01-27 11:03:01 +01:00
net
xfrm: fix policy lookup for ipv6 gre packets
2022-01-27 11:05:14 +01:00
samples
samples: bpf: Fix 'unknown warning group' build warning on Clang
2022-01-27 11:03:29 +01:00
scripts
recordmcount.pl: fix typo in s390 mcount regex
2022-01-05 12:42:33 +01:00
security
selinux: fix potential memleak in selinux_add_opt()
2022-01-27 11:03:43 +01:00
sound
ASoC: mediatek: mt8183: fix device_node leak
2022-01-27 11:05:04 +01:00
tools
selftests/powerpc: Add a test of sigreturning to the kernel
2022-01-27 11:05:03 +01:00
usr
.gitignore: prefix local generated files with a slash
2021-05-02 00:43:35 +09:00
virt
KVM: downgrade two BUG_ONs to WARN_ON_ONCE
2021-12-22 09:32:34 +01:00
.clang-format
clang-format: Update with the latest for_each macro list
2021-05-12 23:32:39 +02:00
.cocciconfig
.get_maintainer.ignore
Opt out of scripts/get_maintainer.pl
2019-05-16 10:53:40 -07:00
.gitattributes
.gitattributes: use 'dts' diff driver for dts files
2019-12-04 19:44:11 -08:00
.gitignore
.gitignore: ignore only top-level modules.builtin
2021-05-02 00:43:35 +09:00
.mailmap
mailmap: add Andrej Shadura
2021-10-18 20:22:03 -10:00
COPYING
COPYING: state that all contributions really are covered by this file
2020-02-10 13:32:20 -08:00
CREDITS
MAINTAINERS: Move Daniel Drake to credits
2021-09-21 08:34:58 +03:00
Kbuild
kbuild: rename hostprogs-y/always to hostprogs/always-y
2020-02-04 01:53:07 +09:00
Kconfig
kbuild: ensure full rebuild when the compiler is updated
2020-05-12 13:28:33 +09:00
MAINTAINERS
drm fixes for 5.15 final
2021-10-28 12:17:01 -07:00
Makefile
Linux 5.15.16
2022-01-20 09:13:16 +01:00
README
Drop all 00-INDEX files from Documentation/
2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.
Description
No description provided
Readme 5.7 GiB
Languages
C 97.6%
Assembly 1%
Shell 0.5%
Python 0.3%
Makefile 0.3%