CVE-2024-47669

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix state management in error path of log writing function<br /> <br /> After commit a694291a6211 ("nilfs2: separate wait function from<br /> nilfs_segctor_write") was applied, the log writing function<br /> nilfs_segctor_do_construct() was able to issue I/O requests continuously<br /> even if user data blocks were split into multiple logs across segments,<br /> but two potential flaws were introduced in its error handling.<br /> <br /> First, if nilfs_segctor_begin_construction() fails while creating the<br /> second or subsequent logs, the log writing function returns without<br /> calling nilfs_segctor_abort_construction(), so the writeback flag set on<br /> pages/folios will remain uncleared. This causes page cache operations to<br /> hang waiting for the writeback flag. For example,<br /> truncate_inode_pages_final(), which is called via nilfs_evict_inode() when<br /> an inode is evicted from memory, will hang.<br /> <br /> Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. <br /> As a result, if the next log write involves checkpoint creation, that&amp;#39;s<br /> fine, but if a partial log write is performed that does not, inodes with<br /> NILFS_I_COLLECTED set are erroneously removed from the "sc_dirty_files"<br /> list, and their data and b-tree blocks may not be written to the device,<br /> corrupting the block mapping.<br /> <br /> Fix these issues by uniformly calling nilfs_segctor_abort_construction()<br /> on failure of each step in the loop in nilfs_segctor_do_construct(),<br /> having it clean up logs and segment usages according to progress, and<br /> correcting the conditions for calling nilfs_redirty_inodes() to ensure<br /> that the NILFS_I_COLLECTED flag is cleared.