CVE-2023-52582

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfs: Only call folio_start_fscache() one time for each folio<br /> <br /> If a network filesystem using netfs implements a clamp_length()<br /> function, it can set subrequest lengths smaller than a page size.<br /> <br /> When we loop through the folios in netfs_rreq_unlock_folios() to<br /> set any folios to be written back, we need to make sure we only<br /> call folio_start_fscache() once for each folio.<br /> <br /> Otherwise, this simple testcase:<br /> <br /> mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs<br /> dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1<br /> 1+0 records in<br /> 1+0 records out<br /> 4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s<br /> echo 3 &gt; /proc/sys/vm/drop_caches<br /> cat /mnt/nfs/file.bin &gt; /dev/null<br /> <br /> will trigger an oops similar to the following:<br /> <br /> page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))<br /> ------------[ cut here ]------------<br /> kernel BUG at include/linux/netfs.h:44!<br /> ...<br /> CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5<br /> ...<br /> RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]<br /> ...<br /> Call Trace:<br /> netfs_rreq_assess+0x497/0x660 [netfs]<br /> netfs_subreq_terminated+0x32b/0x610 [netfs]<br /> nfs_netfs_read_completion+0x14e/0x1a0 [nfs]<br /> nfs_read_completion+0x2f9/0x330 [nfs]<br /> rpc_free_task+0x72/0xa0 [sunrpc]<br /> rpc_async_release+0x46/0x70 [sunrpc]<br /> process_one_work+0x3bd/0x710<br /> worker_thread+0x89/0x610<br /> kthread+0x181/0x1c0<br /> ret_from_fork+0x29/0x50