[PATCH 6.1.y 0/2] f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic

Next message: Francesco Dolcini: "Re: [PATCH 1/4] ARM: dts: imx6qdl-sabrelite: add mdio phy address 0"
Previous message: Namjae Jeon: "Re: [PATCH v2 9/9] exfat: add support for SEEK_HOLE and SEEK_DATA in llseek"
Next in thread: Bin Lan: "[PATCH 6.1.y 1/2] f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bin Lan

Date: Tue May 12 2026 - 03:54:50 EST

Hi,

This series backports a fix, a use-after-free vulnerability
in the F2FS compressed file decompression path, to linux-6.1.y.

The fix stores the sbi pointer and compress_algorithm directly in the
dic struct at allocation time, eliminating the need to dereference the
inode during asynchronous cleanup.

Patch 1 is a preparatory cleanup that changes page_array_alloc/free to
take sbi as the first parameter instead of the inode.

Patch 2 is the actual UAF fix that adds sbi and compress_algorithm
fields to decompress_io_ctx and replaces all late inode dereferences.

Both patches apply cleanly to linux-6.1.170. No logic changes are
needed beyond replacing F2FS_I_SB(dic->inode) with dic->sbi for v6.1.

Testing:
- Verified on a 6.1.170-yocto-standard kernel with F2FS compression
enabled (lzo, lz4, zstd).
- Ran stress tests exercising concurrent read+unlink races, multi-reader
unlink, and forced inode eviction during deferred dic free.
- All 15 test cases passed with no crashes or errors.

Zhiguo Niu (2):
f2fs: compress: change the first parameter of page_array_{alloc,free}
to sbi
f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic

fs/f2fs/compress.c | 76 +++++++++++++++++++++++-----------------------
fs/f2fs/f2fs.h | 2 ++
2 files changed, 40 insertions(+), 38 deletions(-)

--
2.43.0