CVE-2023-52848

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to drop metainode's page cache in f2fsput_super()

syzbot reports a kernel bug as below:

F2FS-fs (loop1): detect filesystem reference count leak during umount, type: 10, count: 1 kernel BUG at fs/f2fs/super.c:1639! CPU: 0 PID: 15451 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-09338-ge0152e7481c6 #0 RIP: 0010:f2fsputsuper+0xce1/0xed0 fs/f2fs/super.c:1639 Call Trace: genericshutdownsuper+0x161/0x3c0 fs/super.c:693 killblocksuper+0x3b/0x70 fs/super.c:1646 killf2fssuper+0x2b7/0x3d0 fs/f2fs/super.c:4879 deactivatelockedsuper+0x9a/0x170 fs/super.c:481 deactivatesuper+0xde/0x100 fs/super.c:514 cleanupmnt+0x222/0x3d0 fs/namespace.c:1254 taskworkrun+0x14d/0x240 kernel/taskwork.c:179 resumeusermodework include/linux/resumeusermode.h:49 [inline] exittousermodeloop kernel/entry/common.c:171 [inline] exittousermodeprepare+0x210/0x240 kernel/entry/common.c:204 _syscallexittousermodework kernel/entry/common.c:285 [inline] syscallexittousermode+0x1d/0x60 kernel/entry/common.c:296 dosyscall64+0x44/0xb0 arch/x86/entry/common.c:86 entrySYSCALL64afterhwframe+0x63/0xcd

In f2fsputsuper(), it tries to do sanity check on dirty and IO reference count of f2fs, once there is any reference count leak, it will trigger panic.

The root case is, during f2fsputsuper(), if there is any IO error in f2fswaitonallpages(), we missed to truncate meta_inode's page cache later, result in panic, fix this case.