CVE-2022-49428

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to do sanity check on inline_dots inode

As Wenqing reported in bugzilla:

https://bugzilla.kernel.org/show_bug.cgi?id=215765

It will cause a kernel panic with steps: - mkdir mnt - mount tmp40.img mnt - ls mnt

foliomarkdirty+0x33/0x50 f2fsaddregularentry+0x541/0xad0 [f2fs] f2fsadddentry+0x6c/0xb0 [f2fs] f2fsdoaddlink+0x182/0x230 [f2fs] _recoverdotdentries+0x2d6/0x470 [f2fs] f2fslookup+0x5af/0x6a0 [f2fs] _lookupslow+0xac/0x200 lookupslow+0x45/0x70 walkcomponent+0x16c/0x250 pathlookupat+0x8b/0x1f0 filenamelookup+0xef/0x250 userpathatempty+0x46/0x70 vfsstatx+0x98/0x190 _dosysnewlstat+0x41/0x90 _x64sysnewlstat+0x1a/0x30 dosyscall64+0x37/0xb0 entrySYSCALL64afterhwframe+0x44/0xae

The root cause is for special file: e.g. character, block, fifo or socket file, f2fs doesn't assign address space operations pointer array for mapping->aops field, so, in a fuzzed image, if inlinedots flag was tagged in special file, during lookup(), when f2fs runs into _recoverdotdentries(), it will cause NULL pointer access once f2fsaddregularentry() calls aops->setdirty_page().