From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 18 Aug 2013 18:28:25 +0000 (-0700)
Subject: 3.4-stable patches
X-Git-Tag: v3.0.92~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d815cc0c2fb516b1d350b3e10d3caed976c616a;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch
---

diff --git a/queue-3.4/jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch b/queue-3.4/jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch
new file mode 100644
index 00000000000..0791c36070e
--- /dev/null
+++ b/queue-3.4/jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch
@@ -0,0 +1,47 @@
+From 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 12 Aug 2013 09:53:28 -0400
+Subject: jbd2: Fix use after free after error in jbd2_journal_dirty_metadata()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 upstream.
+
+When jbd2_journal_dirty_metadata() returns error,
+__ext4_handle_dirty_metadata() stops the handle. However callers of this
+function do not count with that fact and still happily used now freed
+handle. This use after free can result in various issues but very likely
+we oops soon.
+
+The motivation of adding __ext4_journal_stop() into
+__ext4_handle_dirty_metadata() in commit 9ea7a0df seems to be only to
+improve error reporting. So replace __ext4_journal_stop() with
+ext4_journal_abort_handle() which was there before that commit and add
+WARN_ON_ONCE() to dump stack to provide useful information.
+
+Reported-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_jbd2.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/ext4_jbd2.c
++++ b/fs/ext4/ext4_jbd2.c
+@@ -109,10 +109,10 @@ int __ext4_handle_dirty_metadata(const c
+ 
+ 	if (ext4_handle_valid(handle)) {
+ 		err = jbd2_journal_dirty_metadata(handle, bh);
+-		if (err) {
+-			/* Errors can only happen if there is a bug */
+-			handle->h_err = err;
+-			__ext4_journal_stop(where, line, handle);
++		/* Errors can only happen if there is a bug */
++		if (WARN_ON_ONCE(err)) {
++			ext4_journal_abort_handle(where, line, __func__, bh,
++						  handle, err);
+ 		}
+ 	} else {
+ 		if (inode)
diff --git a/queue-3.4/series b/queue-3.4/series
index 733cb7d551a..39ff1ebd971 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -31,3 +31,4 @@ xtensa-replace-xtensa-specific-_f-data-text-by-_s-data-text.patch
 arm-7809-1-perf-fix-event-validation-for-software-group-leaders.patch
 m68k-truncate-base-in-do_div.patch
 m68k-atari-aranym-fix-natfeat-module-support.patch
+jbd2-fix-use-after-free-after-error-in-jbd2_journal_dirty_metadata.patch