diff options
| author | Chao Yu <chao@kernel.org> | 2026-05-21 05:15:05 +0300 |
|---|---|---|
| committer | Jaegeuk Kim <jaegeuk@kernel.org> | 2026-06-22 22:52:35 +0300 |
| commit | e0288584baa5dc41df4a829a023c4c1b33fe53d7 (patch) | |
| tree | 9d1727834165cba19ebd7ef60f194b7d97837165 /scripts | |
| parent | 8b4468ec023d0d1b4669dfb867588997cc03a06b (diff) | |
| download | linux-e0288584baa5dc41df4a829a023c4c1b33fe53d7.tar.xz | |
f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode
- ioctl(F2FS_IOC_GARBAGE_COLLECT_RANGE) - shrink
- f2fs_gc
- gc_data_segment
- ra_data_block(cow_inode)
- mapping = F2FS_I(inode)->atomic_inode->i_mapping
: f2fs_is_cow_file(cow_inode) is true
- f2fs_evict_inode(atomic_inode)
- clear_inode_flag(fi->cow_inode, FI_COW_FILE)
- F2FS_I(fi->cow_inode)->atomic_inode = NULL
...
- truncate_inode_pages_final(atomic_inode)
- f2fs_grab_cache_folio(mapping)
: create folio in atomic_inode->mapping
- clear_inode(atomic_inode)
- BUG_ON(atomic_inode->i_data.nrpages)
We need to add a reference on fi->atomic_inode before using its mapping
field during garbage collection, otherwise, it will cause UAF issue.
Cc: stable@kernel.org
Cc: Daeho Jeong <daehojeong@google.com>
Cc: Sunmin Jeong <s_min.jeong@samsung.com>
Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
Fixes: f18d00769336 ("f2fs: use meta inode for GC of COW file")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Diffstat (limited to 'scripts')
0 files changed, 0 insertions, 0 deletions
