From: Ryusuke Konishi konishi.ryusuke@gmail.com
stable inclusion from stable-v4.19.312 commit 91e4c4595fae5e87069e44687ae879091783c183 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5DI CVE: CVE-2024-26955
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 269cdf353b5bdd15f1a079671b0f889113865f20 ]
Fix a bug where nilfs_get_block() returns a successful status when searching and inserting the specified block both fail inconsistently. If this inconsistent behavior is not due to a previously fixed bug, then an unexpected race is occurring, so return a temporary error -EAGAIN instead.
This prevents callers such as __block_write_begin_int() from requesting a read into a buffer that is not mapped, which would cause the BUG_ON check for the BH_Mapped flag in submit_bh_wbc() to fail.
Link: https://lkml.kernel.org/r/20240313105827.5296-3-konishi.ryusuke@gmail.com Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl") Signed-off-by: Ryusuke Konishi konishi.ryusuke@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: fs/nilfs2/inode.c [In upstream branch linux-4.19.y, a dependent commit 5c8f85e9ff21 ("nilfs2: use a more common logging style"), but since bacporting it will introduce more dependent commits and this fix is simple, we can directly adapt this patch.] Signed-off-by: Zheng Yejian zhengyejian1@huawei.com --- fs/nilfs2/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index bfe3c7ccdf50..cbfe6ed764d3 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -107,7 +107,7 @@ int nilfs_get_block(struct inode *inode, sector_t blkoff, "%s (ino=%lu): a race condition while inserting a data block at offset=%llu", __func__, inode->i_ino, (unsigned long long)blkoff); - err = 0; + err = -EAGAIN; } nilfs_transaction_abort(inode->i_sb); goto out;