DEBIAN-CVE-2022-49706

In the Linux kernel, the following vulnerability has been resolved: zonefs: fix zonefsiomapbegin() for reads If a readahead is issued to a sequential zone file with an offset exactly equal to the current file size, the iomap type is set to IOMAPUNWRITTEN, which will prevent an IO, but the iomap length is calculated as 0. This causes a WARNON() in iomapiter(): [17309.548939] WARNING: CPU: 3 PID: 2137 at fs/iomap/iter.c:34 iomapiter+0x9cf/0xe80 [...] [17309.650907] RIP: 0010:iomapiter+0x9cf/0xe80 [...] [17309.754560] Call Trace: [17309.757078] <TASK> [17309.759240] ? lockisheldtype+0xd8/0x130 [17309.763531] iomapreadahead+0x1a8/0x870 [17309.767550] ? iomapreadfolio+0x4c0/0x4c0 [17309.771817] ? lockdephardirqsonprepare+0x400/0x400 [17309.778848] ? lockrelease+0x370/0x750 [17309.784462] ? folioaddlru+0x217/0x3f0 [17309.790220] ? reacquireheldlocks+0x4e0/0x4e0 [17309.796543] readpages+0x17d/0xb60 [17309.801854] ? folioaddlru+0x238/0x3f0 [17309.807573] ? readaheadexpand+0x5f0/0x5f0 [17309.813554] ? policynode+0xb5/0x140 [17309.819018] pagecacheraunbounded+0x27d/0x450 [17309.825439] filemapgetpages+0x500/0x1450 [17309.831444] ? filemapaddfolio+0x140/0x140 [17309.837519] ? lockisheldtype+0xd8/0x130 [17309.843509] filemapread+0x28c/0x9f0 [17309.848953] ? zonefsfilereaditer+0x1ea/0x4d0 [zonefs] [17309.856162] ? tracecontentionend+0xd6/0x130 [17309.862416] ? _mutexlock+0x221/0x1480 [17309.868151] ? zonefsfilereaditer+0x166/0x4d0 [zonefs] [17309.875364] ? filemapgetpages+0x1450/0x1450 [17309.881647] ? _mutexunlockslowpath+0x15e/0x620 [17309.888248] ? waitforcompletioniotimeout+0x20/0x20 [17309.895231] ? lockisheldtype+0xd8/0x130 [17309.901115] ? lockisheldtype+0xd8/0x130 [17309.906934] zonefsfilereaditer+0x356/0x4d0 [zonefs] [17309.913750] newsyncread+0x2d8/0x520 [17309.919035] ? _x64syslseek+0x1d0/0x1d0 Furthermore, this causes iomapreadahead() to loop forever as iomapreadaheaditer() always returns 0, making no progress. Fix this by treating reads after the file size as access to holes, setting the iomap type to IOMAPHOLE, the iomap addr to IOMAPNULLADDR and using the length argument as is for the iomap length. To simplify the code with this change, zonefsiomapbegin() is split into the read variant, zonefsreadiomapbegin() and zonefsreadiomapops, and the write variant, zonefswriteiomapbegin() and zonefswriteiomapops.