CVE-2021-46982

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: compress: fix race condition of overwrite vs truncate<br /> <br /> pos_fsstress testcase complains a panic as belew:<br /> <br /> ------------[ cut here ]------------<br /> kernel BUG at fs/f2fs/compress.c:1082!<br /> invalid opcode: 0000 [#1] SMP PTI<br /> CPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G OE 5.12.0-rc1-custom #1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014<br /> Workqueue: writeback wb_workfn (flush-252:16)<br /> RIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs]<br /> Call Trace:<br /> f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs]<br /> f2fs_write_cache_pages+0x468/0x8a0 [f2fs]<br /> f2fs_write_data_pages+0x2a4/0x2f0 [f2fs]<br /> do_writepages+0x38/0xc0<br /> __writeback_single_inode+0x44/0x2a0<br /> writeback_sb_inodes+0x223/0x4d0<br /> __writeback_inodes_wb+0x56/0xf0<br /> wb_writeback+0x1dd/0x290<br /> wb_workfn+0x309/0x500<br /> process_one_work+0x220/0x3c0<br /> worker_thread+0x53/0x420<br /> kthread+0x12f/0x150<br /> ret_from_fork+0x22/0x30<br /> <br /> The root cause is truncate() may race with overwrite as below,<br /> so that one reference count left in page can not guarantee the<br /> page attaching in mapping tree all the time, after truncation,<br /> later find_lock_page() may return NULL pointer.<br /> <br /> - prepare_compress_overwrite<br /> - f2fs_pagecache_get_page<br /> - unlock_page<br /> - f2fs_setattr<br /> - truncate_setsize<br /> - truncate_inode_page<br /> - delete_from_page_cache<br /> - find_lock_page<br /> <br /> Fix this by avoiding referencing updated page.