CVE-2023-53447

In the Linux kernel, the following vulnerability has been resolved:

f2fs: don't reset unchangable mount option in f2fs_remount()

syzbot reports a bug as below:

general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:__lockacquire+0x69/0x2000 kernel/locking/lockdep.c:4942 Call Trace: lockacquire+0x1e3/0x520 kernel/locking/lockdep.c:5691 __rawwritelock include/linux/rwlockapismp.h:209 [inline] rawwrite_lock+0x2e/0x40 kernel/locking/spinlock.c:300 __dropextenttree+0x3ac/0x660 fs/f2fs/extentcache.c:1100 f2fsdropextenttree+0x17/0x30 fs/f2fs/extentcache.c:1116 f2fsinsertrange+0x2d5/0x3c0 fs/f2fs/file.c:1664 f2fsfallocate+0x4e4/0x6d0 fs/f2fs/file.c:1838 vfsfallocate+0x54b/0x6b0 fs/open.c:324 ksysfallocate fs/open.c:347 [inline] __dosysfallocate fs/open.c:355 [inline] __sesysfallocate fs/open.c:353 [inline] __x64sysfallocate+0xbd/0x100 fs/open.c:353 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

The root cause is race condition as below: - since it tries to remount rw filesystem, so that doremount won't call sbprepareremountreadonly to block fallocate, there may be race condition in between remount and fallocate. - in f2fsremount(), defaultoptions() will reset mount option to default one, and then update it based on result of parse_options(), so there is a hole which race condition can happen.

Thread A Thread B - f2fsfillsuper - parseoptions - clearopt(READEXTENTCACHE)

• f2fs_remount
  • defaultoptions
    • setopt(READEXTENTCACHE)
      • f2fsfallocate
        • f2fsinsertrange
          • f2fsdropextenttree
            • __dropextenttree
              • mayextenttree
                • testopt(READEXTENTCACHE) return true
              • writelock(&et->lock) access NULL pointer
  • parseoptions
    • clearopt(READEXTENTCACHE)