CVE-2021-47256

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/memory-failure: make sure wait for page writeback in memory_failure<br /> <br /> Our syzkaller trigger the "BUG_ON(!list_empty(&amp;inode-&gt;i_wb_list))" in<br /> clear_inode:<br /> <br /> kernel BUG at fs/inode.c:519!<br /> Internal error: Oops - BUG: 0 [#1] SMP<br /> Modules linked in:<br /> Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)<br /> CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95<br /> Hardware name: linux,dummy-virt (DT)<br /> pstate: 80000005 (Nzcv daif -PAN -UAO)<br /> pc : clear_inode+0x280/0x2a8<br /> lr : clear_inode+0x280/0x2a8<br /> Call trace:<br /> clear_inode+0x280/0x2a8<br /> ext4_clear_inode+0x38/0xe8<br /> ext4_free_inode+0x130/0xc68<br /> ext4_evict_inode+0xb20/0xcb8<br /> evict+0x1a8/0x3c0<br /> iput+0x344/0x460<br /> do_unlinkat+0x260/0x410<br /> __arm64_sys_unlinkat+0x6c/0xc0<br /> el0_svc_common+0xdc/0x3b0<br /> el0_svc_handler+0xf8/0x160<br /> el0_svc+0x10/0x218<br /> Kernel panic - not syncing: Fatal exception<br /> <br /> A crash dump of this problem show that someone called __munlock_pagevec<br /> to clear page LRU without lock_page: do_mmap -&gt; mmap_region -&gt; do_munmap<br /> -&gt; munlock_vma_pages_range -&gt; __munlock_pagevec.<br /> <br /> As a result memory_failure will call identify_page_state without<br /> wait_on_page_writeback. And after truncate_error_page clear the mapping<br /> of this page. end_page_writeback won&amp;#39;t call sb_clear_inode_writeback to<br /> clear inode-&gt;i_wb_list. That will trigger BUG_ON in clear_inode!<br /> <br /> Fix it by checking PageWriteback too to help determine should we skip<br /> wait_on_page_writeback.