CVE-2024-26871
f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
f2fs: fix NULL pointer dereference in f2fs_submit_page_write()
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix NULL pointer dereference in f2fs_submit_page_write() BUG: kernel NULL pointer dereference, address: 0000000000000014 RIP: 0010:f2fs_submit_page_write+0x6cf/0x780 [f2fs] Call Trace: <TASK> ? show_regs+0x6e/0x80 ? __die+0x29/0x70 ? page_fault_oops+0x154/0x4a0 ? prb_read_valid+0x20/0x30 ? __irq_work_queue_local+0x39/0xd0 ? irq_work_queue+0x36/0x70 ? do_user_addr_fault+0x314/0x6c0 ? exc_page_fault+0x7d/0x190 ? asm_exc_page_fault+0x2b/0x30 ? f2fs_submit_page_write+0x6cf/0x780 [f2fs] ? f2fs_submit_page_write+0x736/0x780 [f2fs] do_write_page+0x50/0x170 [f2fs] f2fs_outplace_write_data+0x61/0xb0 [f2fs] f2fs_do_write_data_page+0x3f8/0x660 [f2fs] f2fs_write_single_data_page+0x5bb/0x7a0 [f2fs] f2fs_write_cache_pages+0x3da/0xbe0 [f2fs] ... It is possible that other threads have added this fio to io->bio and submitted the io->bio before entering f2fs_submit_page_write(). At this point io->bio = NULL. If is_end_zone_blkaddr(sbi, fio->new_blkaddr) of this fio is true, then an NULL pointer dereference error occurs at bio_get(io->bio). The original code for determining zone end was after "out:", which would have missed some fio who is zone end. I've moved this code before "skip:" to make sure it's done for each fio.
Reserved 2024-02-19 | Published 2024-04-17 | Updated 2024-12-19 | Assigner Linuxgit.kernel.org/...c/8e2ea8b04cb8d976110c4568509e67d6a39b2889
git.kernel.org/...c/4c122a32582b67bdd44ca8d25f894ee2dc54f566
git.kernel.org/...c/6d102382a11d5e6035f6c98f6e508a38541f7af3
git.kernel.org/...c/c2034ef6192a65a986a45c2aa2ed05824fdc0e9f
Support options
