From: Greg Kroah-Hartman Date: Wed, 13 Sep 2017 03:41:54 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.18.71~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5d003a414010a6a45cf2e5eaec30475e3533a6ea;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-device-present.patch --- diff --git a/queue-4.4/series b/queue-4.4/series index 85b3b00640e..540cbdecef5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -29,3 +29,4 @@ alsa-msnd-optimize-harden-dsp-and-midi-loops.patch bluetooth-properly-check-l2cap-config-option-output-buffer-length.patch arm-8692-1-mm-abort-uaccess-retries-upon-fatal-signal.patch nfs-fix-2-use-after-free-issues-in-the-i-o-code.patch +xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-device-present.patch diff --git a/queue-4.4/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-device-present.patch b/queue-4.4/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-device-present.patch new file mode 100644 index 00000000000..9aa86f5e681 --- /dev/null +++ b/queue-4.4/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-device-present.patch @@ -0,0 +1,71 @@ +From b31ff3cdf540110da4572e3e29bd172087af65cc Mon Sep 17 00:00:00 2001 +From: Richard Wareing +Date: Wed, 13 Sep 2017 09:09:35 +1000 +Subject: xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present + +From: Richard Wareing + +commit b31ff3cdf540110da4572e3e29bd172087af65cc upstream. + +If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on +a directory in a filesystem that does not have a realtime device and +create a new file in that directory, it gets marked as a real time file. +When data is written and a fsync is issued, the filesystem attempts to +flush a non-existent rt device during the fsync process. + +This results in a crash dereferencing a null buftarg pointer in +xfs_blkdev_issue_flush(): + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + IP: xfs_blkdev_issue_flush+0xd/0x20 + ..... + Call Trace: + xfs_file_fsync+0x188/0x1c0 + vfs_fsync_range+0x3b/0xa0 + do_fsync+0x3d/0x70 + SyS_fsync+0x10/0x20 + do_syscall_64+0x4d/0xb0 + entry_SYSCALL64_slow_path+0x25/0x25 + +Setting RT inode flags does not require special privileges so any +unprivileged user can cause this oops to occur. To reproduce, confirm +kernel is compiled with CONFIG_XFS_RT=y and run: + + # mkfs.xfs -f /dev/pmem0 + # mount /dev/pmem0 /mnt/test + # mkdir /mnt/test/foo + # xfs_io -c 'chattr +t' /mnt/test/foo + # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar + +Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait. + +Kernels built with CONFIG_XFS_RT=n are not exposed to this bug. + +Fixes: f538d4da8d52 ("[XFS] write barrier support") +Signed-off-by: Richard Wareing +Signed-off-by: Dave Chinner +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_linux.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_linux.h ++++ b/fs/xfs/xfs_linux.h +@@ -369,7 +369,14 @@ static inline __uint64_t howmany_64(__ui + #endif /* DEBUG */ + + #ifdef CONFIG_XFS_RT +-#define XFS_IS_REALTIME_INODE(ip) ((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) ++ ++/* ++ * make sure we ignore the inode flag if the filesystem doesn't have a ++ * configured realtime device. ++ */ ++#define XFS_IS_REALTIME_INODE(ip) \ ++ (((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) && \ ++ (ip)->i_mount->m_rtdev_targp) + #else + #define XFS_IS_REALTIME_INODE(ip) (0) + #endif