CVE-2024-56586

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix f2fsbugon when uninstalling filesystem call f2fsevictinode.

creating a large files during checkpoint disable until it runs out of space and then delete it, then remount to enable checkpoint again, and then unmount the filesystem triggers the f2fsbugon as below:

------------[ cut here ]------------ kernel BUG at fs/f2fs/inode.c:896! CPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360 Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:f2fsevictinode+0x58c/0x610 Call Trace: __diebody+0x15/0x60 die+0x33/0x50 dotrap+0x10a/0x120 f2fsevictinode+0x58c/0x610 doerrortrap+0x60/0x80 f2fsevictinode+0x58c/0x610 excinvalidop+0x53/0x60 f2fsevictinode+0x58c/0x610 asmexcinvalidop+0x16/0x20 f2fsevictinode+0x58c/0x610 evict+0x101/0x260 disposelist+0x30/0x50 evictinodes+0x140/0x190 genericshutdownsuper+0x2f/0x150 killblocksuper+0x11/0x40 killf2fssuper+0x7d/0x140 deactivatelockedsuper+0x2a/0x70 cleanupmnt+0xb3/0x140 taskworkrun+0x61/0x90

The root cause is: creating large files during disable checkpoint period results in not enough free segments, so when writing back root inode will failed in f2fsenablecheckpoint. When umount the file system after enabling checkpoint, the root inode is dirty in f2fsevictinode function, which triggers BUG_ON. The steps to reproduce are as follows:

dd if=/dev/zero of=f2fs.img bs=1M count=55 mount f2fs.img f2fsdir -o checkpoint=disable:10% dd if=/dev/zero of=big bs=1M count=50 sync rm big mount -o remount,checkpoint=enable f2fsdir umount f2fs_dir

Let's redirty inode when there is not free segments during checkpoint is disable.