From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Nov 2018 18:04:20 +0000 (-0800)
Subject: 4.4-stable patches
X-Git-Tag: v4.19.2~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa4796e4479f5c011303b8a9f8c1e5bc26bdd424;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch
---

diff --git a/queue-4.4/ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch b/queue-4.4/ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch
new file mode 100644
index 00000000000..6042e9d7c23
--- /dev/null
+++ b/queue-4.4/ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch
@@ -0,0 +1,125 @@
+From 8bc1379b82b8e809eef77a9fedbb75c6c297be19 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 23:41:59 -0400
+Subject: ext4: avoid running out of journal credits when appending to an inline file
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.
+
+Use a separate journal transaction if it turns out that we need to
+convert an inline file to use an data block.  Otherwise we could end
+up failing due to not having journal credits.
+
+This addresses CVE-2018-10883.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200071
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+[fengc@google.com: 4.4 backport: adjust context]
+Signed-off-by: Chenbo Feng <fengc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ext4.h   |    3 ---
+ fs/ext4/inline.c |   38 +-------------------------------------
+ fs/ext4/xattr.c  |   18 ++----------------
+ 3 files changed, 3 insertions(+), 56 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -3039,9 +3039,6 @@ extern struct buffer_head *ext4_get_firs
+ extern int ext4_inline_data_fiemap(struct inode *inode,
+ 				   struct fiemap_extent_info *fieinfo,
+ 				   int *has_inline, __u64 start, __u64 len);
+-extern int ext4_try_to_evict_inline_data(handle_t *handle,
+-					 struct inode *inode,
+-					 int needed);
+ extern void ext4_inline_data_truncate(struct inode *inode, int *has_inline);
+ 
+ extern int ext4_convert_inline_data(struct inode *inode);
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -888,11 +888,11 @@ retry_journal:
+ 	flags |= AOP_FLAG_NOFS;
+ 
+ 	if (ret == -ENOSPC) {
++		ext4_journal_stop(handle);
+ 		ret = ext4_da_convert_inline_data_to_extent(mapping,
+ 							    inode,
+ 							    flags,
+ 							    fsdata);
+-		ext4_journal_stop(handle);
+ 		if (ret == -ENOSPC &&
+ 		    ext4_should_retry_alloc(inode->i_sb, &retries))
+ 			goto retry_journal;
+@@ -1867,42 +1867,6 @@ out:
+ 	return (error < 0 ? error : 0);
+ }
+ 
+-/*
+- * Called during xattr set, and if we can sparse space 'needed',
+- * just create the extent tree evict the data to the outer block.
+- *
+- * We use jbd2 instead of page cache to move data to the 1st block
+- * so that the whole transaction can be committed as a whole and
+- * the data isn't lost because of the delayed page cache write.
+- */
+-int ext4_try_to_evict_inline_data(handle_t *handle,
+-				  struct inode *inode,
+-				  int needed)
+-{
+-	int error;
+-	struct ext4_xattr_entry *entry;
+-	struct ext4_inode *raw_inode;
+-	struct ext4_iloc iloc;
+-
+-	error = ext4_get_inode_loc(inode, &iloc);
+-	if (error)
+-		return error;
+-
+-	raw_inode = ext4_raw_inode(&iloc);
+-	entry = (struct ext4_xattr_entry *)((void *)raw_inode +
+-					    EXT4_I(inode)->i_inline_off);
+-	if (EXT4_XATTR_LEN(entry->e_name_len) +
+-	    EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) {
+-		error = -ENOSPC;
+-		goto out;
+-	}
+-
+-	error = ext4_convert_inline_data_nolock(handle, inode, &iloc);
+-out:
+-	brelse(iloc.bh);
+-	return error;
+-}
+-
+ void ext4_inline_data_truncate(struct inode *inode, int *has_inline)
+ {
+ 	handle_t *handle;
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1044,22 +1044,8 @@ int ext4_xattr_ibody_inline_set(handle_t
+ 	if (EXT4_I(inode)->i_extra_isize == 0)
+ 		return -ENOSPC;
+ 	error = ext4_xattr_set_entry(i, s, inode);
+-	if (error) {
+-		if (error == -ENOSPC &&
+-		    ext4_has_inline_data(inode)) {
+-			error = ext4_try_to_evict_inline_data(handle, inode,
+-					EXT4_XATTR_LEN(strlen(i->name) +
+-					EXT4_XATTR_SIZE(i->value_len)));
+-			if (error)
+-				return error;
+-			error = ext4_xattr_ibody_find(inode, i, is);
+-			if (error)
+-				return error;
+-			error = ext4_xattr_set_entry(i, s, inode);
+-		}
+-		if (error)
+-			return error;
+-	}
++	if (error)
++		return error;
+ 	header = IHDR(inode, ext4_raw_inode(&is->iloc));
+ 	if (!IS_LAST_ENTRY(s->first)) {
+ 		header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC);
diff --git a/queue-4.4/series b/queue-4.4/series
index 27817fe8430..015f36870e5 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -81,3 +81,4 @@ xen-fix-xen_qlock_wait.patch
 media-em28xx-use-a-default-format-if-try_fmt-fails.patch
 media-em28xx-fix-input-name-for-terratec-av-350.patch
 media-em28xx-make-v4l2-compliance-happier-by-starting-sequence-on-zero.patch
+ext4-avoid-running-out-of-journal-credits-when-appending-to-an-inline-file.patch