Hi,
This series backports a fix, a use-after-free vulnerability
in the F2FS compressed file decompression path, to linux-6.1.y.
The fix stores the sbi pointer and compress_algorithm directly in the
dic struct at allocation time, eliminating the need to dereference the
inode during asynchronous cleanup.
Patch 1 is a preparatory cleanup that changes page_array_alloc/free to
take sbi as the first parameter instead of the inode.
Patch 2 is the actual UAF fix that adds sbi and compress_algorithm
fields to decompress_io_ctx and replaces all late inode dereferences.
Both patches apply cleanly to linux-6.1.170. No logic changes are
needed beyond replacing F2FS_I_SB(dic->inode) with dic->sbi for v6.1.
Testing:
- Verified on a 6.1.170-yocto-standard kernel with F2FS compression
enabled (lzo, lz4, zstd).
- Ran stress tests exercising concurrent read+unlink races, multi-reader
unlink, and forced inode eviction during deferred dic free.
- All 15 test cases passed with no crashes or errors.
Zhiguo Niu (2):
f2fs: compress: change the first parameter of page_array_{alloc,free}
to sbi
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
fs/f2fs/compress.c | 76 +++++++++++++++++++++++-----------------------
fs/f2fs/f2fs.h | 2 ++
2 files changed, 40 insertions(+), 38 deletions(-)
--
2.43.0