Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the panic is as follows: F2FS_WB_CP_DATA write callback umount - f2fs_write_checkpoint - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA) - blk_mq_end_request - bio_endio - f2fs_write_end_io : dec_page_count(sbi, F2FS_WB_CP_DATA) : wake_up(&sbi->cp_wait) - kill_f2fs_super - kill_block_super - f2fs_put_super : iput(sbi->node_inode) : sbi->node_inode = NULL : f2fs_in_warm_node_list - is_node_folio // sbi->node_inode is NULL and panic The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is decremented to zero. As a result, f2fs_in_warm_node_list() may dereference a NULL node_inode when checking whether a folio belongs to the node inode, leading to a panic. This patch fixes the issue by calling f2fs_in_warm_node_list() before decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the use-after-free condition.
Product status
50fa53eccf9f911a5b435248a2b0bd484fd82e5e (git) before 7be222de96c0f9eee6e65eeb017ef855ee185cfa
50fa53eccf9f911a5b435248a2b0bd484fd82e5e (git) before 963d2e24d9d92a31e6773b0f642214f10013ebf7
50fa53eccf9f911a5b435248a2b0bd484fd82e5e (git) before 188bb65f247a7a7c62f287c9a263aee3cad96fa5
50fa53eccf9f911a5b435248a2b0bd484fd82e5e (git) before 2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53
4.19
Any version before 4.19
6.12.86 (semver)
6.18.25 (semver)
7.0.2 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/7be222de96c0f9eee6e65eeb017ef855ee185cfa
git.kernel.org/...c/963d2e24d9d92a31e6773b0f642214f10013ebf7
git.kernel.org/...c/188bb65f247a7a7c62f287c9a263aee3cad96fa5
git.kernel.org/...c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53