From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 2 May 2016 18:50:25 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.14.68~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=68c016c8b37756e2f495575436ae210e9242da46;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	ext4-fix-null-pointer-dereference-in-ext4_mark_inode_dirty.patch
---

diff --git a/queue-3.14/ext4-fix-null-pointer-dereference-in-ext4_mark_inode_dirty.patch b/queue-3.14/ext4-fix-null-pointer-dereference-in-ext4_mark_inode_dirty.patch
new file mode 100644
index 00000000000..b8da89f6518
--- /dev/null
+++ b/queue-3.14/ext4-fix-null-pointer-dereference-in-ext4_mark_inode_dirty.patch
@@ -0,0 +1,87 @@
+From 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu@gmail.com>
+Date: Sat, 12 Mar 2016 21:40:32 -0500
+Subject: ext4: fix NULL pointer dereference in ext4_mark_inode_dirty()
+
+From: Eryu Guan <guaneryu@gmail.com>
+
+commit 5e1021f2b6dff1a86a468a1424d59faae2bc63c1 upstream.
+
+ext4_reserve_inode_write() in ext4_mark_inode_dirty() could fail on
+error (e.g. EIO) and iloc.bh can be NULL in this case. But the error is
+ignored in the following "if" condition and ext4_expand_extra_isize()
+might be called with NULL iloc.bh set, which triggers NULL pointer
+dereference.
+
+This is uncovered by commit 8b4953e13f4c ("ext4: reserve code points for
+the project quota feature"), which enlarges the ext4_inode size, and
+run the following script on new kernel but with old mke2fs:
+
+  #/bin/bash
+  mnt=/mnt/ext4
+  devname=ext4-error
+  dev=/dev/mapper/$devname
+  fsimg=/home/fs.img
+
+  trap cleanup 0 1 2 3 9 15
+
+  cleanup()
+  {
+          umount $mnt >/dev/null 2>&1
+          dmsetup remove $devname
+          losetup -d $backend_dev
+          rm -f $fsimg
+          exit 0
+  }
+
+  rm -f $fsimg
+  fallocate -l 1g $fsimg
+  backend_dev=`losetup -f --show $fsimg`
+  devsize=`blockdev --getsz $backend_dev`
+
+  good_tab="0 $devsize linear $backend_dev 0"
+  error_tab="0 $devsize error $backend_dev 0"
+
+  dmsetup create $devname --table "$good_tab"
+
+  mkfs -t ext4 $dev
+  mount -t ext4 -o errors=continue,strictatime $dev $mnt
+
+  dmsetup load $devname --table "$error_tab" && dmsetup resume $devname
+  echo 3 > /proc/sys/vm/drop_caches
+  ls -l $mnt
+  exit 0
+
+[ Patch changed to simplify the function a tiny bit. -- Ted ]
+
+Signed-off-by: Eryu Guan <guaneryu@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inode.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4972,6 +4972,8 @@ int ext4_mark_inode_dirty(handle_t *hand
+ 	might_sleep();
+ 	trace_ext4_mark_inode_dirty(inode, _RET_IP_);
+ 	err = ext4_reserve_inode_write(handle, inode, &iloc);
++	if (err)
++		return err;
+ 	if (ext4_handle_valid(handle) &&
+ 	    EXT4_I(inode)->i_extra_isize < sbi->s_want_extra_isize &&
+ 	    !ext4_test_inode_state(inode, EXT4_STATE_NO_EXPAND)) {
+@@ -5002,9 +5004,7 @@ int ext4_mark_inode_dirty(handle_t *hand
+ 			}
+ 		}
+ 	}
+-	if (!err)
+-		err = ext4_mark_iloc_dirty(handle, inode, &iloc);
+-	return err;
++	return ext4_mark_iloc_dirty(handle, inode, &iloc);
+ }
+ 
+ /*
diff --git a/queue-3.14/series b/queue-3.14/series
index 5dc384c8c75..873ae889be9 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -25,3 +25,4 @@ misc-bmp085-enable-building-as-a-module.patch
 rtc-hym8563-fix-invalid-year-calculation.patch
 rtc-vr41xx-wire-up-alarm_irq_enable.patch
 drivers-misc-ad525x_dpot-ad5274-fix-rdac-read-back-errors.patch
+ext4-fix-null-pointer-dereference-in-ext4_mark_inode_dirty.patch