Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2018-08-13 16:46:27 +0200
committerJan Kara <jack@suse.cz>2018-08-13 17:07:57 +0200
commitd4c749706a5b4e7f56db7c2c5d82d4e63adde999 (patch)
tree161a266ae138af235a9e9ac0fd684ecd2a983409
parenta08f4020b7389554ca53aae2cadc5af10e11e423 (diff)
ext4: avoid running out of journal credits when appending to
an inline file (bsc#1099863 cve-2018-10883).
-rw-r--r--patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch124
-rw-r--r--series.conf1
2 files changed, 125 insertions, 0 deletions
diff --git a/patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch b/patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
new file mode 100644
index 0000000000..ba7334fee6
--- /dev/null
+++ b/patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
@@ -0,0 +1,124 @@
+From 8bc1379b82b8e809eef77a9fedbb75c6c297be19 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 23:41:59 -0400
+Subject: [PATCH] ext4: avoid running out of journal credits when appending to
+ an inline file
+Git-commit: 8bc1379b82b8e809eef77a9fedbb75c6c297be19
+Patch-mainline: v4.18-rc4
+References: bsc#1099863 cve-2018-10883
+
+Use a separate journal transaction if it turns out that we need to
+convert an inline file to use an data block. Otherwise we could end
+up failing due to not having journal credits.
+
+This addresses CVE-2018-10883.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200071
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Acked-by: Jan Kara <jack@suse.cz>
+
+---
+ fs/ext4/ext4.h | 3 ---
+ fs/ext4/inline.c | 38 +-------------------------------------
+ fs/ext4/xattr.c | 18 ++----------------
+ 3 files changed, 3 insertions(+), 56 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -3051,9 +3051,6 @@ extern struct buffer_head *ext4_get_firs
+ extern int ext4_inline_data_fiemap(struct inode *inode,
+ struct fiemap_extent_info *fieinfo,
+ int *has_inline, __u64 start, __u64 len);
+-extern int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed);
+ extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
+
+ extern int ext4_convert_inline_data(struct inode *inode);
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -889,11 +889,11 @@ retry_journal:
+ flags |= AOP_FLAG_NOFS;
+
+ if (ret == -ENOSPC) {
++ ext4_journal_stop(handle);
+ ret = ext4_da_convert_inline_data_to_extent(mapping,
+ inode,
+ flags,
+ fsdata);
+- ext4_journal_stop(handle);
+ if (ret == -ENOSPC &&
+ ext4_should_retry_alloc(inode->i_sb, &retries))
+ goto retry_journal;
+@@ -1866,42 +1866,6 @@ out:
+ return (error < 0 ? error : 0);
+ }
+
+-/*
+- * Called during xattr set, and if we can sparse space 'needed',
+- * just create the extent tree evict the data to the outer block.
+- *
+- * We use jbd2 instead of page cache to move data to the 1st block
+- * so that the whole transaction can be committed as a whole and
+- * the data isn't lost because of the delayed page cache write.
+- */
+-int ext4_try_to_evict_inline_data(handle_t *handle,
+- struct inode *inode,
+- int needed)
+-{
+- int error;
+- struct ext4_xattr_entry *entry;
+- struct ext4_inode *raw_inode;
+- struct ext4_iloc iloc;
+-
+- error = ext4_get_inode_loc(inode, &iloc);
+- if (error)
+- return error;
+-
+- raw_inode = ext4_raw_inode(&iloc);
+- entry = (struct ext4_xattr_entry *)((void *)raw_inode +
+- EXT4_I(inode)->i_inline_off);
+- if (EXT4_XATTR_LEN(entry->e_name_len) +
+- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
+- error = -ENOSPC;
+- goto out;
+- }
+-
+- error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
+-out:
+- brelse(iloc.bh);
+- return error;
+-}
+-
+ void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
+ {
+ handle_t *handle;
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1086,22 +1086,8 @@ int ext4_xattr_ibody_inline_set(handle_t
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+ error = ext4_xattr_set_entry(i, s);
+- if (error) {
+- if (error == -ENOSPC &&
+- ext4_has_inline_data(inode)) {
+- error = ext4_try_to_evict_inline_data(handle, inode,
+- EXT4_XATTR_LEN(strlen(i->name) +
+- EXT4_XATTR_SIZE(i->value_len)));
+- if (error)
+- return error;
+- error = ext4_xattr_ibody_find(inode, i, is);
+- if (error)
+- return error;
+- error = ext4_xattr_set_entry(i, s);
+- }
+- if (error)
+- return error;
+- }
++ if (error)
++ return error;
+ header = IHDR(inode, ext4_raw_inode(&is->iloc));
+ if (!IS_LAST_ENTRY(s->first)) {
+ header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);
diff --git a/series.conf b/series.conf
index 263b6f6cce..9933a6f4c3 100644
--- a/series.conf
+++ b/series.conf
@@ -7595,6 +7595,7 @@
patches.fixes/ext4-fix-inline-data-updates-with-checksums-enabled.patch
patches.fixes/ext4-check-for-allocation-block-validity-with-block-.patch
patches.fixes/ext4-fix-check-to-prevent-initializing-reserved-inod.patch
+ patches.fixes/ext4-avoid-running-out-of-journal-credits-when-appen.patch
patches.fixes/ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
patches.fixes/vfs-add-the-sb_start_intwrite_trylock-helper.patch
patches.fixes/ext4-factor-out-helper-ext4_sample_last_mounted.patch