In the Linux kernel, the following vulnerability has been resolved:
f2fs: compress: fix to call f2fs_wait_on_page_writeback() in f2fs_write_raw_pages()
BUG_ON() will be triggered when writing files concurrently, because the same page is writtenback multiple times.
1597 void folio_end_writeback(struct folio *folio) 1598 { …… 1618 if (!__folio_end_writeback(folio)) 1619 BUG(); …… 1625 }
kernel BUG at mm/filemap.c:1619! Call Trace: f2fs_write_end_io+0x1a0/0x370 blk_update_request+0x6c/0x410 blk_mq_end_request+0x15/0x130 blk_complete_reqs+0x3c/0x50 __do_softirq+0xb8/0x29b ? sort_range+0x20/0x20 run_ksoftirqd+0x19/0x20 smpboot_thread_fn+0x10b/0x1d0 kthread+0xde/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30
Below is the concurrency scenario:
[Process A] [Process B] [Process C] f2fs_write_raw_pages()
redirty_page_for_writepage()
unlock page() f2fs_do_write_data_page() - lock_page() - clear_page_dirty_for_io() - set_page_writeback() [1st writeback] ….. - unlock page()
generic_perform_write()
- f2fs_write_begin()
- wait_for_stable_page()
- f2fs_write_end()
- set_page_dirty()
lock_page()
This problem was introduced by the previous commit 7377e853967b (f2fs: compress: fix potential deadlock of compress file). All pagelocks were released in f2fs_write_raw_pages(), but whether the page was in the writeback state was ignored in the subsequent writing process. Lets fix it by waiting for the page to writeback before writing.