releases/4.9.135/ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch

   1 From 8bc1379b82b8e809eef77a9fedbb75c6c297be19 Mon Sep 17 00:00:00 2001
   2 From: Theodore Ts'o <tytso@mit.edu>
   3 Date: Sat, 16 Jun 2018 23:41:59 -0400
   4 Subject: ext4: avoid running out of journal credits when appending to an inline file
   5
   6 From: Theodore Ts'o <tytso@mit.edu>
   7
   8 commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.
   9
  10 Use a separate journal transaction if it turns out that we need to
  11 convert an inline file to use an data block.  Otherwise we could end
  12 up failing due to not having journal credits.
  13
  14 This addresses CVE-2018-10883.
  15
  16 https://bugzilla.kernel.org/show_bug.cgi?id=200071
  17
  18 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  19 Cc: stable@kernel.org
  20 [fengc@google.com: 4.4 and 4.9 backport: adjust context]
  21 Signed-off-by: Chenbo Feng <fengc@google.com>
  22 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23 ---
  24  fs/ext4/ext4.h   |    3 ---
  25  fs/ext4/inline.c |   38 +-------------------------------------
  26  fs/ext4/xattr.c  |   18 ++----------------
  27  3 files changed, 3 insertions(+), 56 deletions(-)
  28
  29 --- a/fs/ext4/ext4.h
  30 +++ b/fs/ext4/ext4.h
  31 @@ -3038,9 +3038,6 @@ extern struct buffer_head *ext4_get_firs
  32  extern int ext4_inline_data_fiemap(struct inode *inode,
  33                                    struct fiemap_extent_info *fieinfo,
  34                                    int *has_inline, __u64 start, __u64 len);
  35 -extern int ext4_try_to_evict_inline_data(handle_t *handle,
  36 -                                        struct inode *inode,
  37 -                                        int needed);
  38  extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
  39
  40  extern int ext4_convert_inline_data(struct inode *inode);
  41 --- a/fs/ext4/inline.c
  42 +++ b/fs/ext4/inline.c
  43 @@ -889,11 +889,11 @@ retry_journal:
  44         flags |= AOP_FLAG_NOFS;
  45
  46         if (ret == -ENOSPC) {
  47 +               ext4_journal_stop(handle);
  48                 ret = ext4_da_convert_inline_data_to_extent(mapping,
  49                                                             inode,
  50                                                             flags,
  51                                                             fsdata);
  52 -               ext4_journal_stop(handle);
  53                 if (ret == -ENOSPC &&
  54                     ext4_should_retry_alloc(inode->i_sb, &retries))
  55                         goto retry_journal;
  56 @@ -1865,42 +1865,6 @@ out:
  57         return (error < 0 ? error : 0);
  58  }
  59
  60 -/*
  61 - * Called during xattr set, and if we can sparse space 'needed',
  62 - * just create the extent tree evict the data to the outer block.
  63 - *
  64 - * We use jbd2 instead of page cache to move data to the 1st block
  65 - * so that the whole transaction can be committed as a whole and
  66 - * the data isn't lost because of the delayed page cache write.
  67 - */
  68 -int ext4_try_to_evict_inline_data(handle_t *handle,
  69 -                                 struct inode *inode,
  70 -                                 int needed)
  71 -{
  72 -       int error;
  73 -       struct ext4_xattr_entry *entry;
  74 -       struct ext4_inode *raw_inode;
  75 -       struct ext4_iloc iloc;
  76 -
  77 -       error = ext4_get_inode_loc(inode, &iloc);
  78 -       if (error)
  79 -               return error;
  80 -
  81 -       raw_inode = ext4_raw_inode(&iloc);
  82 -       entry = (struct ext4_xattr_entry *)((void *)raw_inode +
  83 -                                           EXT4_I(inode)->i_inline_off);
  84 -       if (EXT4_XATTR_LEN(entry->e_name_len) +
  85 -           EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
  86 -               error = -ENOSPC;
  87 -               goto out;
  88 -       }
  89 -
  90 -       error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
  91 -out:
  92 -       brelse(iloc.bh);
  93 -       return error;
  94 -}
  95 -
  96  void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
  97  {
  98         handle_t *handle;
  99 --- a/fs/ext4/xattr.c
 100 +++ b/fs/ext4/xattr.c
 101 @@ -1086,22 +1086,8 @@ int ext4_xattr_ibody_inline_set(handle_t
 102         if (EXT4_I(inode)->i_extra_isize == 0)
 103                 return -ENOSPC;
 104         error = ext4_xattr_set_entry(i, s, inode);
 105 -       if (error) {
 106 -               if (error == -ENOSPC &&
 107 -                   ext4_has_inline_data(inode)) {
 108 -                       error = ext4_try_to_evict_inline_data(handle, inode,
 109 -                                       EXT4_XATTR_LEN(strlen(i->name) +
 110 -                                       EXT4_XATTR_SIZE(i->value_len)));
 111 -                       if (error)
 112 -                               return error;
 113 -                       error = ext4_xattr_ibody_find(inode, i, is);
 114 -                       if (error)
 115 -                               return error;
 116 -                       error = ext4_xattr_set_entry(i, s, inode);
 117 -               }
 118 -               if (error)
 119 -                       return error;
 120 -       }
 121 +       if (error)
 122 +               return error;
 123         header = IHDR(inode, ext4_raw_inode(&is->iloc));
 124         if (!IS_LAST_ENTRY(s->first)) {
 125                 header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);