In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix potential bug in endbufferasync_write
According to a syzbot report, endbufferasyncwrite(), which handles the completion of block device writes, may detect abnormal condition of the buffer asyncwrite flag and cause a BUG_ON failure when using nilfs2.
Nilfs2 itself does not use endbufferasyncwrite(). But, the asyncwrite flag is now used as a marker by commit 7f42ec394156 ("nilfs2: fix issue with race condition of competition between segments for dirty blocks") as a means of resolving double list insertion of dirty blocks in nilfslookupdirtydatabuffers() and nilfslookupnode_buffers() and the resulting crash.
This modification is safe as long as it is used for file data and b-tree node blocks where the page caches are independent. However, it was irrelevant and redundant to also introduce asyncwrite for segment summary and super root blocks that share buffers with the backing device. This led to the possibility that the BUGON check in endbufferasync_write would fail as described above, if independent writebacks of the backing device occurred in parallel.
The use of async_write for segment summary buffers has already been removed in a previous change.
Fix this issue by removing the manipulation of the async_write flag for the remaining super root block buffer.