CVE-2024-26956

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix failure to detect DAT corruption in btree and direct mappings<br /> <br /> Patch series "nilfs2: fix kernel bug at submit_bh_wbc()".<br /> <br /> This resolves a kernel BUG reported by syzbot. Since there are two<br /> flaws involved, I&amp;#39;ve made each one a separate patch.<br /> <br /> The first patch alone resolves the syzbot-reported bug, but I think<br /> both fixes should be sent to stable, so I&amp;#39;ve tagged them as such.<br /> <br /> <br /> This patch (of 2):<br /> <br /> Syzbot has reported a kernel bug in submit_bh_wbc() when writing file data<br /> to a nilfs2 file system whose metadata is corrupted.<br /> <br /> There are two flaws involved in this issue.<br /> <br /> The first flaw is that when nilfs_get_block() locates a data block using<br /> btree or direct mapping, if the disk address translation routine<br /> nilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata<br /> corruption, it can be passed back to nilfs_get_block(). This causes<br /> nilfs_get_block() to misidentify an existing block as non-existent,<br /> causing both data block lookup and insertion to fail inconsistently.<br /> <br /> The second flaw is that nilfs_get_block() returns a successful status in<br /> this inconsistent state. This causes the caller __block_write_begin_int()<br /> or others to request a read even though the buffer is not mapped,<br /> resulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()<br /> failing.<br /> <br /> This fixes the first issue by changing the return value to code -EINVAL<br /> when a conversion using DAT fails with code -ENOENT, avoiding the<br /> conflicting condition that leads to the kernel bug described above. Here,<br /> code -EINVAL indicates that metadata corruption was detected during the<br /> block lookup, which will be properly handled as a file system error and<br /> converted to -EIO when passing through the nilfs2 bmap layer.