Bug 1220617 (CVE-2021-46982) - VUL-0: CVE-2021-46982: kernel: f2fs: compress: race condition of overwrite vs truncate
Summary: VUL-0: CVE-2021-46982: kernel: f2fs: compress: race condition of overwrite vs...
Status: RESOLVED FIXED
Alias: CVE-2021-46982
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Kernel Bugs
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/395431/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-46982:4.7:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-29 08:51 UTC by SMASH SMASH
Modified: 2024-02-29 08:51 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-29 08:51:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

f2fs: compress: fix race condition of overwrite vs truncate

pos_fsstress testcase complains a panic as belew:

------------[ cut here ]------------
kernel BUG at fs/f2fs/compress.c:1082!
invalid opcode: 0000 [#1] SMP PTI
CPU: 4 PID: 2753477 Comm: kworker/u16:2 Tainted: G           OE     5.12.0-rc1-custom #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Workqueue: writeback wb_workfn (flush-252:16)
RIP: 0010:prepare_compress_overwrite+0x4c0/0x760 [f2fs]
Call Trace:
 f2fs_prepare_compress_overwrite+0x5f/0x80 [f2fs]
 f2fs_write_cache_pages+0x468/0x8a0 [f2fs]
 f2fs_write_data_pages+0x2a4/0x2f0 [f2fs]
 do_writepages+0x38/0xc0
 __writeback_single_inode+0x44/0x2a0
 writeback_sb_inodes+0x223/0x4d0
 __writeback_inodes_wb+0x56/0xf0
 wb_writeback+0x1dd/0x290
 wb_workfn+0x309/0x500
 process_one_work+0x220/0x3c0
 worker_thread+0x53/0x420
 kthread+0x12f/0x150
 ret_from_fork+0x22/0x30

The root cause is truncate() may race with overwrite as below,
so that one reference count left in page can not guarantee the
page attaching in mapping tree all the time, after truncation,
later find_lock_page() may return NULL pointer.

- prepare_compress_overwrite
 - f2fs_pagecache_get_page
 - unlock_page
					- f2fs_setattr
					 - truncate_setsize
					  - truncate_inode_page
					   - delete_from_page_cache
 - find_lock_page

Fix this by avoiding referencing updated page.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-46982
https://git.kernel.org/stable/c/5639b73fd3bc6fc8ca72e3a9ac15aacaabd7ebff
https://git.kernel.org/stable/c/64acb100fe3beb5d20184d0ae3307235bd3555c4
https://git.kernel.org/stable/c/936158b15e2648253afb824d252c910c496d34b5
https://git.kernel.org/stable/c/a949dc5f2c5cfe0c910b664650f45371254c0744
https://www.cve.org/CVERecord?id=CVE-2021-46982
Comment 1 Carlos López 2024-02-29 08:51:50 UTC 
Already fixed in affected branches (cve/linux-5.14, SLE15-SP6, stable and master). Closing.