CVE-2024-26696

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()<br /> <br /> Syzbot reported a hang issue in migrate_pages_batch() called by mbind()<br /> and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.<br /> <br /> While migrate_pages_batch() locks a folio and waits for the writeback to<br /> complete, the log writer thread that should bring the writeback to<br /> completion picks up the folio being written back in<br /> nilfs_lookup_dirty_data_buffers() that it calls for subsequent log<br /> creation and was trying to lock the folio. Thus causing a deadlock.<br /> <br /> In the first place, it is unexpected that folios/pages in the middle of<br /> writeback will be updated and become dirty. Nilfs2 adds a checksum to<br /> verify the validity of the log being written and uses it for recovery at<br /> mount, so data changes during writeback are suppressed. Since this is<br /> broken, an unclean shutdown could potentially cause recovery to fail.<br /> <br /> Investigation revealed that the root cause is that the wait for writeback<br /> completion in nilfs_page_mkwrite() is conditional, and if the backing<br /> device does not require stable writes, data may be modified without<br /> waiting.<br /> <br /> Fix these issues by making nilfs_page_mkwrite() wait for writeback to<br /> finish regardless of the stable write requirement of the backing device.