CVE-2024-56586

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode.<br /> <br /> creating a large files during checkpoint disable until it runs out of<br /> space and then delete it, then remount to enable checkpoint again, and<br /> then unmount the filesystem triggers the f2fs_bug_on as below:<br /> <br /> ------------[ cut here ]------------<br /> kernel BUG at fs/f2fs/inode.c:896!<br /> CPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> RIP: 0010:f2fs_evict_inode+0x58c/0x610<br /> Call Trace:<br /> __die_body+0x15/0x60<br /> die+0x33/0x50<br /> do_trap+0x10a/0x120<br /> f2fs_evict_inode+0x58c/0x610<br /> do_error_trap+0x60/0x80<br /> f2fs_evict_inode+0x58c/0x610<br /> exc_invalid_op+0x53/0x60<br /> f2fs_evict_inode+0x58c/0x610<br /> asm_exc_invalid_op+0x16/0x20<br /> f2fs_evict_inode+0x58c/0x610<br /> evict+0x101/0x260<br /> dispose_list+0x30/0x50<br /> evict_inodes+0x140/0x190<br /> generic_shutdown_super+0x2f/0x150<br /> kill_block_super+0x11/0x40<br /> kill_f2fs_super+0x7d/0x140<br /> deactivate_locked_super+0x2a/0x70<br /> cleanup_mnt+0xb3/0x140<br /> task_work_run+0x61/0x90<br /> <br /> The root cause is: creating large files during disable checkpoint<br /> period results in not enough free segments, so when writing back root<br /> inode will failed in f2fs_enable_checkpoint. When umount the file<br /> system after enabling checkpoint, the root inode is dirty in<br /> f2fs_evict_inode function, which triggers BUG_ON. The steps to<br /> reproduce are as follows:<br /> <br /> dd if=/dev/zero of=f2fs.img bs=1M count=55<br /> mount f2fs.img f2fs_dir -o checkpoint=disable:10%<br /> dd if=/dev/zero of=big bs=1M count=50<br /> sync<br /> rm big<br /> mount -o remount,checkpoint=enable f2fs_dir<br /> umount f2fs_dir<br /> <br /> Let&amp;#39;s redirty inode when there is not free segments during checkpoint<br /> is disable.