CVE-2023-54068

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()<br /> <br /> BUG_ON() will be triggered when writing files concurrently,<br /> because the same page is writtenback multiple times.<br /> <br /> 1597 void folio_end_writeback(struct folio *folio)<br /> 1598 {<br /> ......<br /> 1618 if (!__folio_end_writeback(folio))<br /> 1619 BUG();<br /> ......<br /> 1625 }<br /> <br /> kernel BUG at mm/filemap.c:1619!<br /> Call Trace:<br /> <br /> f2fs_write_end_io+0x1a0/0x370<br /> blk_update_request+0x6c/0x410<br /> blk_mq_end_request+0x15/0x130<br /> blk_complete_reqs+0x3c/0x50<br /> __do_softirq+0xb8/0x29b<br /> ? sort_range+0x20/0x20<br /> run_ksoftirqd+0x19/0x20<br /> smpboot_thread_fn+0x10b/0x1d0<br /> kthread+0xde/0x110<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30<br /> <br /> <br /> Below is the concurrency scenario:<br /> <br /> [Process A] [Process B] [Process C]<br /> f2fs_write_raw_pages()<br /> - redirty_page_for_writepage()<br /> - unlock page()<br /> f2fs_do_write_data_page()<br /> - lock_page()<br /> - clear_page_dirty_for_io()<br /> - set_page_writeback() [1st writeback]<br /> .....<br /> - unlock page()<br /> <br /> generic_perform_write()<br /> - f2fs_write_begin()<br /> - wait_for_stable_page()<br /> <br /> - f2fs_write_end()<br /> - set_page_dirty()<br /> <br /> - lock_page()<br /> - f2fs_do_write_data_page()<br /> - set_page_writeback() [2st writeback]<br /> <br /> This problem was introduced by the previous commit 7377e853967b ("f2fs:<br /> compress: fix potential deadlock of compress file"). All pagelocks were<br /> released in f2fs_write_raw_pages(), but whether the page was<br /> in the writeback state was ignored in the subsequent writing process.<br /> Let&amp;#39;s fix it by waiting for the page to writeback before writing.