2.1 KiB
CVE-2024-50229
Description
In the Linux kernel, the following vulnerability has been resolved:nilfs2: fix potential deadlock with newly created symlinksSyzbot reported that page_symlink(), called by nilfs_symlink(), triggersmemory reclamation involving the filesystem layer, which can result incircular lock dependencies among the reader/writer semaphorenilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and thefs_reclaim pseudo lock.This is because after commit 21fc61c73c39 ("don't put symlink bodies inpagecache into highmem"), the gfp flags of the page cache for symboliclinks are overwritten to GFP_KERNEL via inode_nohighmem().This is not a problem for symlinks read from the backing device, becausethe __GFP_FS flag is dropped after inode_nohighmem() is called. However,when a new symlink is created with nilfs_symlink(), the gfp flags remainoverwritten to GFP_KERNEL. Then, memory allocation called frompage_symlink() etc. triggers memory reclamation including the FS layer,which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these cancause a deadlock if they are called while nilfs->ns_segctor_sem is held:Fix this issue by dropping the __GFP_FS flag from the page cache GFP flagsof newly created symlinks in the same way that nilfs_new_inode() and__nilfs_read_inode() do, as a workaround until we adopt nofs allocationscope consistently or improve the locking constraints.
POC
Reference
No PoCs from references.