From f30457b58db2976e447ede54ade5d648b6b7745b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 3 Aug 2016 08:04:02 +0200
Subject: [PATCH] 4.7-stable patches

added patches:
	ext4-verify-extent-header-depth.patch
---
 .../ext4-verify-extent-header-depth.patch     | 74 +++++++++++++++++++
 queue-4.7/series                              |  1 +
 2 files changed, 75 insertions(+)
 create mode 100644 queue-4.7/ext4-verify-extent-header-depth.patch
 create mode 100644 queue-4.7/series

diff --git a/queue-4.7/ext4-verify-extent-header-depth.patch b/queue-4.7/ext4-verify-extent-header-depth.patch
new file mode 100644
index 00000000000..5e357bf3cef
--- /dev/null
+++ b/queue-4.7/ext4-verify-extent-header-depth.patch
@@ -0,0 +1,74 @@
+From 7bc9491645118c9461bd21099c31755ff6783593 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Fri, 15 Jul 2016 00:22:07 -0400
+Subject: ext4: verify extent header depth
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 7bc9491645118c9461bd21099c31755ff6783593 upstream.
+
+Although the extent tree depth of 5 should enough be for the worst
+case of 2*32 extents of length 1, the extent tree code does not
+currently to merge nodes which are less than half-full with a sibling
+node, or to shrink the tree depth if possible.  So it's possible, at
+least in theory, for the tree depth to be greater than 5.  However,
+even in the worst case, a tree depth of 32 is highly unlikely, and if
+the file system is maliciously corrupted, an insanely large eh_depth
+can cause memory allocation failures that will trigger kernel warnings
+(here, eh_depth = 65280):
+
+    JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256
+    ------------[ cut here ]------------
+    WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293 start_this_handle+0x569/0x580
+    CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508
+    Stack:
+     604a8947 625badd8 0002fd09 00000000
+     60078643 00000000 62623910 601bf9bc
+     62623970 6002fc84 626239b0 900000125
+    Call Trace:
+     [<6001c2dc>] show_stack+0xdc/0x1a0
+     [<601bf9bc>] dump_stack+0x2a/0x2e
+     [<6002fc84>] __warn+0x114/0x140
+     [<6002fdff>] warn_slowpath_null+0x1f/0x30
+     [<60165829>] start_this_handle+0x569/0x580
+     [<60165d4e>] jbd2__journal_start+0x11e/0x220
+     [<60146690>] __ext4_journal_start_sb+0x60/0xa0
+     [<60120a81>] ext4_truncate+0x131/0x3a0
+     [<60123677>] ext4_setattr+0x757/0x840
+     [<600d5d0f>] notify_change+0x16f/0x2a0
+     [<600b2b16>] do_truncate+0x76/0xc0
+     [<600c3e56>] path_openat+0x806/0x1300
+     [<600c55c9>] do_filp_open+0x89/0xf0
+     [<600b4074>] do_sys_open+0x134/0x1e0
+     [<600b4140>] SyS_open+0x20/0x30
+     [<6001ea68>] handle_syscall+0x88/0x90
+     [<600295fd>] userspace+0x3fd/0x500
+     [<6001ac55>] fork_handler+0x85/0x90
+
+    ---[ end trace 08b0b88b6387a244 ]---
+
+[ Commit message modified and the extent tree depath check changed
+from 5 to 32 -- tytso ]
+
+Cc: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/extents.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -474,6 +474,10 @@ static int __ext4_ext_check(const char *
+ 		error_msg = "invalid extent entries";
+ 		goto corrupted;
+ 	}
++	if (unlikely(depth > 32)) {
++		error_msg = "too large eh_depth";
++		goto corrupted;
++	}
+ 	/* Verify checksum on non-root extent tree nodes */
+ 	if (ext_depth(inode) != depth &&
+ 	    !ext4_extent_block_csum_verify(inode, eh)) {
diff --git a/queue-4.7/series b/queue-4.7/series
new file mode 100644
index 00000000000..b7207450164
--- /dev/null
+++ b/queue-4.7/series
@@ -0,0 +1 @@
+ext4-verify-extent-header-depth.patch
-- 
2.47.3