From 7873fc3b64ca2cf653f3ad267e86f54f2411db84 Mon Sep 17 00:00:00 2001
From: zzzzzzzzzy9 <zhang.yu58@zte.com.cn>
Date: Wed, 25 Jun 2025 14:31:00 +0800
Subject: [PATCH] gfs2: Truncate address space when flipping GFS2_DIF_JDATA
 flag

commit 4dd57d1f0e9844311c635a7fb39abce4f2ac5a61 upstream.

Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag:
depending on that flag, the pages in the address space will either use
buffer heads or iomap_folio_state structs, and we cannot mix the two.

Reported-by: Kun Hu <huk23@m.fudan.edu.cn>, Jiaji Qin <jjtan24@m.fudan.edu.cn>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes: CVE-2025-21699
Signed-off-by: zzzzzzzzzy9 <zhang.yu58@zte.com.cn>
Reviewed-by: Huang Jian <huang.jian@zte.com.cn>
Link: https://gitee.com/anolis/embedded-kernel/pulls/842
---
 fs/gfs2/file.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
index f2700477a300..6ba0ea1e3071 100644
--- a/fs/gfs2/file.c
+++ b/fs/gfs2/file.c
@@ -251,6 +251,7 @@ static int do_gfs2_set_flags(struct inode *inode, u32 reqflags, u32 mask)
 		error = filemap_fdatawait(inode->i_mapping);
 		if (error)
 			goto out;
+		truncate_inode_pages(inode->i_mapping, 0);
 		if (new_flags & GFS2_DIF_JDATA)
 			gfs2_ordered_del_inode(ip);
 	}
-- 
Gitee