CVE-2022-49511

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: defio: fix the pagelist corruption<br /> <br /> Easily hit the below list corruption:<br /> ==<br /> list_add corruption. prev-&gt;next should be next (ffffffffc0ceb090), but<br /> was ffffec604507edc8. (prev=ffffec604507edc8).<br /> WARNING: CPU: 65 PID: 3959 at lib/list_debug.c:26<br /> __list_add_valid+0x53/0x80<br /> CPU: 65 PID: 3959 Comm: fbdev Tainted: G U<br /> RIP: 0010:__list_add_valid+0x53/0x80<br /> Call Trace:<br /> <br /> fb_deferred_io_mkwrite+0xea/0x150<br /> do_page_mkwrite+0x57/0xc0<br /> do_wp_page+0x278/0x2f0<br /> __handle_mm_fault+0xdc2/0x1590<br /> handle_mm_fault+0xdd/0x2c0<br /> do_user_addr_fault+0x1d3/0x650<br /> exc_page_fault+0x77/0x180<br /> ? asm_exc_page_fault+0x8/0x30<br /> asm_exc_page_fault+0x1e/0x30<br /> RIP: 0033:0x7fd98fc8fad1<br /> ==<br /> <br /> Figure out the race happens when one process is adding &amp;page-&gt;lru into<br /> the pagelist tail in fb_deferred_io_mkwrite(), another process is<br /> re-initializing the same &amp;page-&gt;lru in fb_deferred_io_fault(), which is<br /> not protected by the lock.<br /> <br /> This fix is to init all the page lists one time during initialization,<br /> it not only fixes the list corruption, but also avoids INIT_LIST_HEAD()<br /> redundantly.<br /> <br /> V2: change "int i" to "unsigned int i" (Geert Uytterhoeven)