nilfs2: fix state management in error path of log writing function
[ Upstream commit 6576dd6695f2afca3f4954029ac4a64f82ba60ab ] Fix CVE: CVE-2024-47669 After commita694291a62
("nilfs2: separate wait function from nilfs_segctor_write") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the "sc_dirty_files" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared. Link: https://lkml.kernel.org/r/20240814101119.4070-1-konishi.ryusuke@gmail.com Fixes:a694291a62
("nilfs2: separate wait function from nilfs_segctor_write") Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Haisu Wang <haisuwang@tencent.com> Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
This commit is contained in:
parent
a56760dedf
commit
6c74355d9c
|
@ -1798,6 +1798,9 @@ static void nilfs_segctor_abort_construction(struct nilfs_sc_info *sci,
|
|||
nilfs_abort_logs(&logs, ret ? : err);
|
||||
|
||||
list_splice_tail_init(&sci->sc_segbufs, &logs);
|
||||
if (list_empty(&logs))
|
||||
return; /* if the first segment buffer preparation failed */
|
||||
|
||||
nilfs_cancel_segusage(&logs, nilfs->ns_sufile);
|
||||
nilfs_free_incomplete_logs(&logs, nilfs);
|
||||
|
||||
|
@ -2037,7 +2040,7 @@ static int nilfs_segctor_do_construct(struct nilfs_sc_info *sci, int mode)
|
|||
|
||||
err = nilfs_segctor_begin_construction(sci, nilfs);
|
||||
if (unlikely(err))
|
||||
goto out;
|
||||
goto failed;
|
||||
|
||||
/* Update time stamp */
|
||||
sci->sc_seg_ctime = ktime_get_real_seconds();
|
||||
|
@ -2100,10 +2103,9 @@ static int nilfs_segctor_do_construct(struct nilfs_sc_info *sci, int mode)
|
|||
return err;
|
||||
|
||||
failed_to_write:
|
||||
if (sci->sc_stage.flags & NILFS_CF_IFILE_STARTED)
|
||||
nilfs_redirty_inodes(&sci->sc_dirty_files);
|
||||
|
||||
failed:
|
||||
if (mode == SC_LSEG_SR && nilfs_sc_cstage_get(sci) >= NILFS_ST_IFILE)
|
||||
nilfs_redirty_inodes(&sci->sc_dirty_files);
|
||||
if (nilfs_doing_gc())
|
||||
nilfs_redirty_inodes(&sci->sc_gc_inodes);
|
||||
nilfs_segctor_abort_construction(sci, nilfs, err);
|
||||
|
|
Loading…
Reference in New Issue