From: "Matthew Wilcox (Oracle)" willy@infradead.org

stable inclusion from stable-v5.10.215 commit 8f599ab6fabbca4c741107eade70722a98adfd9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q97O CVE: CVE-2024-35821

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit 723012cab779eee8228376754e22c6594229bf8f ]

Page cache reads are lockless, so setting the freshly allocated page uptodate before we've overwritten it with the data it's supposed to have in it will allow a simultaneous reader to see old data. Move the call to SetPageUptodate into ubifs_write_end(), which is after we copied the new data into the page.

Fixes: 1e51764a3c2a ("UBIFS: add new flash file system") Cc: stable@vger.kernel.org Signed-off-by: Matthew Wilcox (Oracle) willy@infradead.org Reviewed-by: Zhihao Cheng chengzhihao1@huawei.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Sasha Levin sashal@kernel.org Conflicts: fs/ubifs/file.c [Conflicting patch 3b67db8a6ca8 ("ubifs: Fix to add refcount once page is set private") is not adapted and merged into the current branch.] Signed-off-by: Wang Zhaolong wangzhaolong1@huawei.com --- fs/ubifs/file.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/fs/ubifs/file.c b/fs/ubifs/file.c index 1b78f2e09218..25f5548cbc45 100644 --- a/fs/ubifs/file.c +++ b/fs/ubifs/file.c @@ -274,9 +274,6 @@ static int write_begin_slow(struct address_space *mapping, return err; } } - - SetPageUptodate(page); - ClearPageError(page); }

if (PagePrivate(page)) @@ -475,9 +472,6 @@ static int ubifs_write_begin(struct file *file, struct address_space *mapping, return err; } } - - SetPageUptodate(page); - ClearPageError(page); }

err = allocate_budget(c, page, ui, appending); @@ -487,10 +481,8 @@ static int ubifs_write_begin(struct file *file, struct address_space *mapping, * If we skipped reading the page because we were going to * write all of it, then it is not up to date. */ - if (skipped_read) { + if (skipped_read) ClearPageChecked(page); - ClearPageUptodate(page); - } /* * Budgeting failed which means it would have to force * write-back but didn't, because we set the @fast flag in the @@ -581,6 +573,9 @@ static int ubifs_write_end(struct file *file, struct address_space *mapping, goto out; }

+ if (len == PAGE_SIZE) + SetPageUptodate(page); + if (!PagePrivate(page)) { SetPagePrivate(page); atomic_long_inc(&c->dirty_pg_cnt);