CVE-2021-47460

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix data corruption after conversion from inline format<br /> <br /> Commit 6dbf7bb55598 ("fs: Don&amp;#39;t invalidate page buffers in<br /> block_write_full_page()") uncovered a latent bug in ocfs2 conversion<br /> from inline inode format to a normal inode format.<br /> <br /> The code in ocfs2_convert_inline_data_to_extents() attempts to zero out<br /> the whole cluster allocated for file data by grabbing, zeroing, and<br /> dirtying all pages covering this cluster. However these pages are<br /> beyond i_size, thus writeback code generally ignores these dirty pages<br /> and no blocks were ever actually zeroed on the disk.<br /> <br /> This oversight was fixed by commit 693c241a5f6a ("ocfs2: No need to zero<br /> pages past i_size.") for standard ocfs2 write path, inline conversion<br /> path was apparently forgotten; the commit log also has a reasoning why<br /> the zeroing actually is not needed.<br /> <br /> After commit 6dbf7bb55598, things became worse as writeback code stopped<br /> invalidating buffers on pages beyond i_size and thus these pages end up<br /> with clean PageDirty bit but with buffers attached to these pages being<br /> still dirty. So when a file is converted from inline format, then<br /> writeback triggers, and then the file is grown so that these pages<br /> become valid, the invalid dirtiness state is preserved,<br /> mark_buffer_dirty() does nothing on these pages (buffers are already<br /> dirty) but page is never written back because it is clean. So data<br /> written to these pages is lost once pages are reclaimed.<br /> <br /> Simple reproducer for the problem is:<br /> <br /> xfs_io -f -c "pwrite 0 2000" -c "pwrite 2000 2000" -c "fsync" \<br /> -c "pwrite 4000 2000" ocfs2_file<br /> <br /> After unmounting and mounting the fs again, you can observe that end of<br /> &amp;#39;ocfs2_file&amp;#39; has lost its contents.<br /> <br /> Fix the problem by not doing the pointless zeroing during conversion<br /> from inline format similarly as in the standard write path.<br /> <br /> [akpm@linux-foundation.org: fix whitespace, per Joseph]