android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b52f2d4395
android_kernel_xiaomi_sm8450/fs
History
Chao Yu 69dc2c1a79 UPSTREAM: f2fs: fix to avoid use-after-free for cached IPU bio 
[ Upstream commit 5cdb422c839134273866208dad5360835ddb9794 ]

xfstest generic/019 reports a bug:

kernel BUG at mm/filemap.c:1619!
RIP: 0010:folio_end_writeback+0x8a/0x90
Call Trace:
 end_page_writeback+0x1c/0x60
 f2fs_write_end_io+0x199/0x420
 bio_endio+0x104/0x180
 submit_bio_noacct+0xa5/0x510
 submit_bio+0x48/0x80
 f2fs_submit_write_bio+0x35/0x300
 f2fs_submit_merged_ipu_write+0x2a0/0x2b0
 f2fs_write_single_data_page+0x838/0x8b0
 f2fs_write_cache_pages+0x379/0xa30
 f2fs_write_data_pages+0x30c/0x340
 do_writepages+0xd8/0x1b0
 __writeback_single_inode+0x44/0x370
 writeback_sb_inodes+0x233/0x4d0
 __writeback_inodes_wb+0x56/0xf0
 wb_writeback+0x1dd/0x2d0
 wb_workfn+0x367/0x4a0
 process_one_work+0x21d/0x430
 worker_thread+0x4e/0x3c0
 kthread+0x103/0x130
 ret_from_fork+0x2c/0x50

The root cause is: after cp_error is set, f2fs_submit_merged_ipu_write()
in f2fs_write_single_data_page() tries to flush IPU bio in cache, however
f2fs_submit_merged_ipu_write() missed to check validity of @bio parameter,
result in submitting random cached bio which belong to other IO context,
then it will cause use-after-free issue, fix it by adding additional
validity check.

Fixes: 0b20fcec86 ("f2fs: cache global IPU bio")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bug: 268109575
Change-Id: Ifbdad0f8e8b51592ed63d025cf13965e623a7956
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
2023-06-29 13:13:11 +00:00
..
9p This is the 5.10.124 stable release 2022-07-28 15:53:46 +02:00
adfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
affs Merge 5.10.166 into android12-5.10-lts 2023-02-17 12:18:56 +00:00
afs This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00
autofs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
befs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
bfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
btrfs BACKPORT: btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() 2023-06-23 12:05:26 +00:00
cachefiles ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
ceph Merge 5.10.168 into android12-5.10-lts 2023-02-17 15:23:41 +00:00
cifs This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
coda This is the 5.10.173 stable release 2023-03-22 11:21:35 +00:00
configfs This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00
cramfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
crypto ANDROID: abi preservation for fscrypt change in 5.10.154 2022-12-01 16:47:19 +00:00
debugfs debugfs: fix error when writing negative value to atomic_t debugfs file 2023-01-14 10:15:19 +01:00
devpts fsnotify: fix fsnotify hooks in pseudo filesystems 2022-02-01 17:25:39 +01:00
dlm fs: dlm: handle -EBUSY first in lock arg validation 2022-10-26 13:25:08 +02:00
ecryptfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
efivarfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
efs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
erofs UPSTREAM: erofs: fix an error code in z_erofs_init_zip_subsystem() 2023-04-17 22:07:07 +00:00
exfat This is the 5.10.173 stable release 2023-03-22 11:21:35 +00:00
exportfs
ext2 This is the 5.10.137 stable release 2022-08-29 16:53:14 +02:00
ext4 Merge tag 'android12-5.10.177_r00' into android12-5.10 2023-05-26 15:09:40 +00:00
f2fs UPSTREAM: f2fs: fix to avoid use-after-free for cached IPU bio 2023-06-29 13:13:11 +00:00
fat This is the 5.10.121 stable release 2022-07-23 16:10:22 +02:00
freevxfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
fscache ANDROID: GKI: set more vfs-only exports into their own namespace 2022-04-07 20:52:29 +02:00
fuse Merge tag 'android12-5.10.160_r00' into android12-5.10 2023-01-21 12:06:54 +00:00
gfs2 This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
hfs This is the 5.10.173 stable release 2023-03-22 11:21:35 +00:00
hfsplus This is the 5.10.173 stable release 2023-03-22 11:21:35 +00:00
hostfs hostfs: fix memory handling in follow_link() 2021-04-14 08:42:06 +02:00
hpfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
hugetlbfs hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() 2023-01-14 10:16:20 +01:00
incfs ANDROID: incremental fs: Evict inodes before freeing mount data 2023-04-04 15:48:57 +00:00
iomap This is the 5.10.129 stable release 2022-07-28 16:55:29 +02:00
isofs Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
jbd2 This is the 5.10.173 stable release 2023-03-22 11:21:35 +00:00
jffs2 This is the 5.10.176 stable release 2023-03-24 16:03:04 +00:00
jfs This is the 5.10.173 stable release 2023-03-22 11:21:35 +00:00
kernfs This is the 5.10.153 stable release 2022-11-21 15:47:06 +00:00
lockd lockd: lockd server-side shouldn't set fl_ops 2021-09-18 13:40:30 +02:00
minix This is the 5.10.111 stable release 2022-04-21 14:27:41 +02:00
nfs This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
nfs_common nfs_common: need lock during iterate through the list 2020-12-30 11:53:45 +01:00
nfsd This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
nilfs2 This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
nls ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
notify This is the 5.10.121 stable release 2022-07-23 16:10:22 +02:00
ntfs This is the 5.10.156 stable release 2022-12-02 08:42:05 +00:00
ocfs2 This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
omfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
openpromfs
orangefs This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00
overlayfs This is the 5.10.169 stable release 2023-02-25 15:32:12 +00:00
proc Merge 5.10.168 into android12-5.10-lts 2023-02-17 15:23:41 +00:00
pstore FROMGIT: pstore: Revert pmsg_lock back to a normal mutex 2023-06-10 04:05:26 +00:00
qnx4 Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
qnx6 ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
quota ext4: fix bug_on in __es_tree_search caused by bad quota inode 2023-01-14 10:16:38 +01:00
ramfs ramfs: fix nommu mmap with gaps in the page cache 2020-10-16 11:11:22 -07:00
reiserfs Merge 5.10.166 into android12-5.10-lts 2023-02-17 12:18:56 +00:00
romfs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
squashfs This is the 5.10.169 stable release 2023-02-25 15:32:12 +00:00
sysfs
sysv This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00
tracefs This is the 5.10.144 stable release 2022-09-22 14:50:45 +02:00
ubifs This is the 5.10.173 stable release 2023-03-22 11:21:35 +00:00
udf This is the 5.10.175 stable release 2023-03-24 14:42:30 +00:00
ufs ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
unicode
vboxsf Merge tag 'android12-5.10.81_r00' into android12-5.10 2022-01-21 09:35:04 +01:00
verity This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
xfs UPSTREAM: xfs: verify buffer contents when we skip log replay 2023-06-23 12:20:27 +00:00
zonefs This is the 5.10.177 stable release 2023-04-05 14:11:48 +00:00
aio.c aio: fix mremap after fork null-deref 2023-02-22 12:55:54 +01:00
anon_inodes.c UPSTREAM: fs: anon_inodes: rephrase to appropriate kernel-doc 2021-03-03 16:18:33 +00:00
attr.c This is the 5.10.176 stable release 2023-03-24 16:03:04 +00:00
bad_inode.c ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
binfmt_aout.c
binfmt_elf_fdpic.c This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00
binfmt_elf.c This is the 5.10.153 stable release 2022-11-21 15:47:06 +00:00
binfmt_em86.c
binfmt_flat.c binfmt_flat: do not stop relocating GOT entries prematurely on riscv 2022-06-09 10:20:47 +02:00
binfmt_misc.c This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00
binfmt_script.c
block_dev.c ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
buffer.c This is the 5.10.156 stable release 2022-12-02 08:42:05 +00:00
char_dev.c chardev: fix error handling in cdev_device_add() 2023-01-14 10:15:59 +01:00
compat_binfmt_elf.c
coredump.c UPSTREAM: coredump: Limit what can interrupt coredumps 2023-02-07 13:38:13 +00:00
d_path.c fs: fix NULL dereference due to data race in prepend_path() 2020-10-14 14:54:45 -07:00
dax.c dax: fix cache flush on PMD-mapped pages 2022-06-09 10:21:16 +02:00
dcache.c ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
dcookies.c
direct-io.c ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
drop_caches.c
eventfd.c UPSTREAM: eventfd: provide a eventfd_signal_mask() helper 2023-02-07 13:38:16 +00:00
eventpoll.c UPSTREAM: eventpoll: add EPOLL_URING_WAKE poll wakeup flag 2023-02-07 13:38:16 +00:00
exec.c This is the 5.10.153 stable release 2022-11-21 15:47:06 +00:00
fcntl.c fcntl: fix potential deadlocks for &fown_struct.lock 2022-10-30 09:41:18 +01:00
fhandle.c
file_table.c SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() 2022-05-18 10:23:48 +02:00
file.c fs: prevent out-of-bounds array speculation when closing a file descriptor 2023-03-17 08:45:05 +01:00
filesystems.c
fs_context.c memcg: charge fs_context and legacy_fs_context 2022-02-08 18:30:36 +01:00
fs_parser.c fs_parse: mark fs_param_bad_value() as static 2020-10-13 18:38:27 -07:00
fs_pin.c
fs_struct.c
fs_types.c ANDROID: GKI: set more vfs-only exports into their own namespace 2022-04-07 20:52:29 +02:00
fs-writeback.c This is the 5.10.121 stable release 2022-07-23 16:10:22 +02:00
fsopen.c
init.c
inode.c This is the 5.10.176 stable release 2023-03-24 16:03:04 +00:00
internal.h attr: add setattr_should_drop_sgid() 2023-03-22 13:30:07 +01:00
ioctl.c This is the 5.10.118 stable release 2022-06-06 16:37:12 +02:00
Kconfig Merge 5.10.17 into android12-5.10 2021-02-18 11:21:01 +01:00
Kconfig.binfmt
kernel_read_file.c vfs: check fd has read access in kernel_read_file_from_fd() 2021-10-27 09:56:51 +02:00
libfs.c This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00
locks.c filelock: new helper: vfs_inode_has_locks 2023-01-14 10:16:47 +01:00
Makefile UPSTREAM: io_uring: import 5.15-stable io_uring 2023-02-07 13:38:15 +00:00
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2023-01-14 10:16:50 +01:00
mount.h
mpage.c ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
namei.c This is the 5.10.176 stable release 2023-03-24 16:03:04 +00:00
namespace.c ANDROID: GKI: set vfs-only exports into their own namespace 2022-01-11 09:30:47 +01:00
no-block.c
nsfs.c
open.c This is the 5.10.176 stable release 2023-03-24 16:03:04 +00:00
pipe.c BACKPORT: pipe: Fix missing lock in pipe_resize_ring() 2022-09-12 22:52:59 +00:00
pnode.c pnode: terminate at peers of source 2023-01-14 10:16:27 +01:00
pnode.h mount: fix mounting of detached mounts onto targets that reside on shared mounts 2021-03-17 17:06:13 +01:00
posix_acl.c
proc_namespace.c proc mountinfo: make splice available again 2020-12-30 11:54:02 +01:00
read_write.c This is the 5.10.160 stable release 2022-12-20 12:38:28 +00:00
readdir.c readdir: make sure to verify directory entry for legacy interfaces too 2021-04-21 13:00:54 +02:00
remap_range.c fs/remap: constrain dedupe of EOF blocks 2022-07-21 21:20:01 +02:00
select.c select: Fix indefinitely sleeping task in poll_schedule_timeout() 2022-01-29 10:26:11 +01:00
seq_file.c seq_file: disallow extremely large seq buffer allocations 2021-07-20 16:05:59 +02:00
signalfd.c Revert "io_uring: disable polling pollfree files" 2022-09-22 13:22:53 +02:00
splice.c This is the 5.10.149 stable release 2022-10-19 11:11:59 +02:00
stack.c
stat.c This is the 5.10.113 stable release 2022-05-12 11:23:35 +02:00
statfs.c
super.c This is the 5.10.154 stable release 2022-11-29 23:38:14 +00:00
sync.c This is the 5.10.140 stable release 2022-08-31 18:52:48 +02:00
timerfd.c ANDROID: fs: Add vendor hooks for ep_create_wakeup_source & timerfd_create 2021-03-24 17:57:22 +00:00
userfaultfd.c This is the 5.10.150 stable release 2022-11-15 19:14:08 +00:00
utimes.c
xattr.c This is the 5.10.163 stable release 2023-02-06 12:30:05 +00:00