CVE-2022-49347

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix bug_on in ext4_writepages<br /> <br /> we got issue as follows:<br /> EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/ext4/inode.c:2708!<br /> invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155<br /> RIP: 0010:ext4_writepages+0x1977/0x1c10<br /> RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000<br /> RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002<br /> RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000<br /> R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001<br /> R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028<br /> FS: 00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> do_writepages+0x130/0x3a0<br /> filemap_fdatawrite_wbc+0x83/0xa0<br /> filemap_flush+0xab/0xe0<br /> ext4_alloc_da_blocks+0x51/0x120<br /> __ext4_ioctl+0x1534/0x3210<br /> __x64_sys_ioctl+0x12c/0x170<br /> do_syscall_64+0x3b/0x90<br /> <br /> It may happen as follows:<br /> 1. write inline_data inode<br /> vfs_write<br /> new_sync_write<br /> ext4_file_write_iter<br /> ext4_buffered_write_iter<br /> generic_perform_write<br /> ext4_da_write_begin<br /> ext4_da_write_inline_data_begin -&gt; If inline data size too<br /> small will allocate block to write, then mapping will has<br /> dirty page<br /> ext4_da_convert_inline_data_to_extent -&gt;clear EXT4_STATE_MAY_INLINE_DATA<br /> 2. fallocate<br /> do_vfs_ioctl<br /> ioctl_preallocate<br /> vfs_fallocate<br /> ext4_fallocate<br /> ext4_convert_inline_data<br /> ext4_convert_inline_data_nolock<br /> ext4_map_blocks -&gt; fail will goto restore data<br /> ext4_restore_inline_data<br /> ext4_create_inline_data<br /> ext4_write_inline_data<br /> ext4_set_inode_state -&gt; set inode EXT4_STATE_MAY_INLINE_DATA<br /> 3. writepages<br /> __ext4_ioctl<br /> ext4_alloc_da_blocks<br /> filemap_flush<br /> filemap_fdatawrite_wbc<br /> do_writepages<br /> ext4_writepages<br /> if (ext4_has_inline_data(inode))<br /> BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))<br /> <br /> The root cause of this issue is we destory inline data until call<br /> ext4_writepages under delay allocation mode. But there maybe already<br /> convert from inline to extent. To solve this issue, we call<br /> filemap_flush first..