{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: make sure wait for page writeback in memory_failure\n\nOur syzkaller trigger the \"BUG_ON(!list_empty(&inode->i_wb_list))\" in\nclear_inode:\n\n kernel BUG at fs/inode.c:519!\n Internal error: Oops - BUG: 0 [#1] SMP\n Modules linked in:\n Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)\n CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95\n Hardware name: linux,dummy-virt (DT)\n pstate: 80000005 (Nzcv daif -PAN -UAO)\n pc : clear_inode+0x280/0x2a8\n lr : clear_inode+0x280/0x2a8\n Call trace:\n clear_inode+0x280/0x2a8\n ext4_clear_inode+0x38/0xe8\n ext4_free_inode+0x130/0xc68\n ext4_evict_inode+0xb20/0xcb8\n evict+0x1a8/0x3c0\n iput+0x344/0x460\n do_unlinkat+0x260/0x410\n __arm64_sys_unlinkat+0x6c/0xc0\n el0_svc_common+0xdc/0x3b0\n el0_svc_handler+0xf8/0x160\n el0_svc+0x10/0x218\n Kernel panic - not syncing: Fatal exception\n\nA crash dump of this problem show that someone called __munlock_pagevec\nto clear page LRU without lock_page: do_mmap -> mmap_region -> do_munmap\n-> munlock_vma_pages_range -> __munlock_pagevec.\n\nAs a result memory_failure will call identify_page_state without\nwait_on_page_writeback. And after truncate_error_page clear the mapping\nof this page. end_page_writeback won't call sb_clear_inode_writeback to\nclear inode->i_wb_list. That will trigger BUG_ON in clear_inode!\n\nFix it by checking PageWriteback too to help determine should we skip\nwait_on_page_writeback." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "mm/memory-failure.c" ], "versions": [ { "version": "0bc1f8b0682c", "lessThan": "d05267fd27a5", "status": "affected", "versionType": "git" }, { "version": "0bc1f8b0682c", "lessThan": "6d210d547adc", "status": "affected", "versionType": "git" }, { "version": "0bc1f8b0682c", "lessThan": "566345aaabac", "status": "affected", "versionType": "git" }, { "version": "0bc1f8b0682c", "lessThan": "9e379da727a7", "status": "affected", "versionType": "git" }, { "version": "0bc1f8b0682c", "lessThan": "28788dc5c705", "status": "affected", "versionType": "git" }, { "version": "0bc1f8b0682c", "lessThan": "e8675d291ac0", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "mm/memory-failure.c" ], "versions": [ { "version": "3.16", "status": "affected" }, { "version": "0", "lessThan": "3.16", "status": "unaffected", "versionType": "custom" }, { "version": "4.14.238", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.19.196", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.4.128", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.46", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.12.13", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0c" }, { "url": "https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872" }, { "url": "https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527" }, { "url": "https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306" }, { "url": "https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56" }, { "url": "https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112a" } ], "title": "mm/memory-failure: make sure wait for page writeback in memory_failure", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2021-47256", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }