Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp546846pxb; Tue, 5 Apr 2022 13:36:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyy90+x67DyEbszHLvKMoc+OZ6h3qmCah6b9hk+8FZYlg5QFeMEC7LCnWeHagrPd2Ee2wID X-Received: by 2002:a17:90b:1805:b0:1c7:ba88:9550 with SMTP id lw5-20020a17090b180500b001c7ba889550mr6239020pjb.16.1649190961699; Tue, 05 Apr 2022 13:36:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649190961; cv=none; d=google.com; s=arc-20160816; b=RfT8aM8JoLyXGhoWU763RuiSfEbcHCAYtlPET9bPU+q/K4duZnSg0F4wY0AxUTvZfe xFnZhzqCvxdNVNnh5jck3gAlsWOCdNa0Wvd9lyFy1JrsQDFck5n8bK8IvZb8DW3hL2E1 OBhzRJE401xfElyYfN9pC7A1Q0XR6ZMA7mtWU1E6jjySTY81OuGeWahQoB5ZXdgmSTzA ZAD6D7QCfn2mZ+/SIjIWfbgG6wc1RGkqt2JF0ASTYTI56aBq2p62zd5F5ExfchnrNRbz XWaBpkkqEtr8eyIkBwlufomCqlTNKPpxO92/qJCJ3X/yWQtd1Qzsud1Wf3MaG8pylzg2 hzdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BgZ0Tz9xuVp6nYuvjk4gr9SfUbnrWz3bQjskupATauY=; b=bWZFkDGpayJx7npxLZNZAzdUTHlyib2Am6wDVvC77cgDpOl9s/WcAd7MBlcJ88ymlz yXmrisVM6bb6NVr6WMHS9+1lctxWSUZ9JmsitphO+yFIwdjdgSIXF0u8u0akAtj5F2WI VmmpPPapq3VUCKjCOnWpxp2PkyP93Nn9x6e4ezTsLq9VBWmt1lTzPL1AvlSuC3dthwIR FlTBVJDfmlv1mZESbejhPH0b6kdUiAD5CTPmH89hP2Wt/Z3fCvRzLQCEWKeJmDypOIYB uE6L7emu8f9XQwwERZnnQCSAQiSe3nVsaJFwPieMvERipmo+l2KCE2TW5jn5wRvdiUIp 9HnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k6uZ5n8a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id oa17-20020a17090b1bd100b001c6f45042dcsi2959575pjb.5.2022.04.05.13.36.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 13:36:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k6uZ5n8a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2A78A2613B; Tue, 5 Apr 2022 13:29:03 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347078AbiDEJp6 (ORCPT + 99 others); Tue, 5 Apr 2022 05:45:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235676AbiDEIVd (ORCPT ); Tue, 5 Apr 2022 04:21:33 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 933476152; Tue, 5 Apr 2022 01:19:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AFA88B81BBC; Tue, 5 Apr 2022 08:19:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 012D0C340EE; Tue, 5 Apr 2022 08:19:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649146759; bh=sNuO6dQJvF6Vk5Tn8/d8XLokuoseHYyzEeHKBYNpZho=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=k6uZ5n8aJF647GWMHzidiIEuyzwq+sPzGquD9u83C14Ktpk5pJqHGG1KpJFVIKT6Y xhHlHmrtcYiltLKcTUlrk8nFyU5/nOfmATMexaJNWlvxDer9W4LO5lll+V/LaM0Tz7 Kc3YUSaal3Q82uW8FyXcSAYIn+36cVWnLTFEzjtk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com, Lee Jones , Theodore Tso , Sasha Levin Subject: [PATCH 5.17 0876/1126] ext4: dont BUG if someone dirty pages without asking ext4 first Date: Tue, 5 Apr 2022 09:27:03 +0200 Message-Id: <20220405070433.248084159@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070407.513532867@linuxfoundation.org> References: <20220405070407.513532867@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Theodore Ts'o [ Upstream commit cc5095747edfb054ca2068d01af20be3fcc3634f ] [un]pin_user_pages_remote is dirtying pages without properly warning the file system in advance. A related race was noted by Jan Kara in 2018[1]; however, more recently instead of it being a very hard-to-hit race, it could be reliably triggered by process_vm_writev(2) which was discovered by Syzbot[2]. This is technically a bug in mm/gup.c, but arguably ext4 is fragile in that if some other kernel subsystem dirty pages without properly notifying the file system using page_mkwrite(), ext4 will BUG, while other file systems will not BUG (although data will still be lost). So instead of crashing with a BUG, issue a warning (since there may be potential data loss) and just mark the page as clean to avoid unprivileged denial of service attacks until the problem can be properly fixed. More discussion and background can be found in the thread starting at [2]. [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz [2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com Reported-by: Lee Jones Signed-off-by: Theodore Ts'o Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.edu Signed-off-by: Sasha Levin --- fs/ext4/inode.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 01c9e4f743ba..531a94f48637 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -1993,6 +1993,15 @@ static int ext4_writepage(struct page *page, else len = PAGE_SIZE; + /* Should never happen but for bugs in other kernel subsystems */ + if (!page_has_buffers(page)) { + ext4_warning_inode(inode, + "page %lu does not have buffers attached", page->index); + ClearPageDirty(page); + unlock_page(page); + return 0; + } + page_bufs = page_buffers(page); /* * We cannot do block allocation or other extent handling in this @@ -2594,6 +2603,22 @@ static int mpage_prepare_extent_to_map(struct mpage_da_data *mpd) wait_on_page_writeback(page); BUG_ON(PageWriteback(page)); + /* + * Should never happen but for buggy code in + * other subsystems that call + * set_page_dirty() without properly warning + * the file system first. See [1] for more + * information. + * + * [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz + */ + if (!page_has_buffers(page)) { + ext4_warning_inode(mpd->inode, "page %lu does not have buffers attached", page->index); + ClearPageDirty(page); + unlock_page(page); + continue; + } + if (mpd->map.m_len == 0) mpd->first_page = page->index; mpd->next_page = page->index + 1; -- 2.34.1