Received: by 10.192.165.148 with SMTP id m20csp2532714imm;
        Sun, 22 Apr 2018 09:01:21 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/CmNA8G+eWzXcRG05Mfm7mx39bVBrSuVRpmOBNIbiIyPQ45z7BdJgIN8Un372Bg2wu4VHW
X-Received: by 10.99.63.6 with SMTP id m6mr10075197pga.340.1524412881017;
        Sun, 22 Apr 2018 09:01:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524412880; cv=none;
        d=google.com; s=arc-20160816;
        b=iBz66nfw5d1n0DTSIGy4s7/hXIeKWWxe2Sau3eB/013JYBHIjfWeyS+fE5r2xXlQj0
         plHzsdEJdCW22vImizJh4rg8KEyRzcspfbJYbLiQngIa2zwSlZpkl5aCJ/xUyPqZWJqW
         bTrX7edPWb+IGn59BxpgofoRmK8QhojgajzglDYn2TjCzWQEnZhkzINM6wwdkxUGqYQe
         Ubu3d8+H+x0aA/eYmRJqO2UK9WRZgHjoBI1eZRojgSc+MqckJLMlPE2wd+lbghO8moFo
         la1r7muYyPF1j+/dJQff9UMdshlBAVrrAeabFKvgMoM4QuaT/sx/TvyoitDCckvaU8l9
         9+8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=BOMvre4Y2L+CrBehM12w019hXVq7C5NuYeRO1FTy23M=;
        b=oYQz2zcA5klOWV3HKQJIeafKA5XeTvtknFAUNao/C4ggSZZ2GKZr8qKJkGKSXc6xuS
         u+/UbygIWp1FQCk6PR+mOXhBFkOpdFWJAepxpy4CsNpWSublKO3ZFv2y8jIFKaKA3FVP
         nTZ5DK2qRKooVLIl2DRAyd7aiZ9gGYinh5qsa+t8fAp0cR1CQiiViEv3wd2SiQJtoKQW
         NM23w+AJCx/uxv1kY3U8Y7uCt0cfPEMZSFsV0T+ToOYrAGytqyRmEiSVQa7hPr0IYVPN
         nXmsJNlUv9ZSFGz52cADEniJQ//D4SgrgDMYXp6B4lsYmo8gHw9GwvEWa44LADWXDLfM
         H9KQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z20-v6si10665069plo.462.2018.04.22.09.01.06;
        Sun, 22 Apr 2018 09:01:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754216AbeDVN6t (ORCPT <rfc822;lunatang2017@gmail.com>
        + 99 others); Sun, 22 Apr 2018 09:58:49 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:46346 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751725AbeDVN6o (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 22 Apr 2018 09:58:44 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 9FE67CD5;
        Sun, 22 Apr 2018 13:58:43 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+1236ce66f79263e8a862@syzkaller.appspotmail.com,
        Theodore Tso <tytso@mit.edu>
Subject: [PATCH 4.16 099/196] ext4: force revalidation of directory pointer after seekdir(2)
Date:   Sun, 22 Apr 2018 15:51:59 +0200
Message-Id: <20180422135109.375117801@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180422135104.278511750@linuxfoundation.org>
References: <20180422135104.278511750@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.16-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit e40ff213898502d299351cc2fe1e350cd186f0d3 upstream.

A malicious user could force the directory pointer to be in an invalid
spot by using seekdir(2).  Use the mechanism we already have to notice
if the directory has changed since the last time we called
ext4_readdir() to force a revalidation of the pointer.

Reported-by: syzbot+1236ce66f79263e8a862@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/dir.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/ext4/dir.c
+++ b/fs/ext4/dir.c
@@ -365,13 +365,15 @@ static loff_t ext4_dir_llseek(struct fil
 {
 	struct inode *inode = file->f_mapping->host;
 	int dx_dir = is_dx_dir(inode);
-	loff_t htree_max = ext4_get_htree_eof(file);
+	loff_t ret, htree_max = ext4_get_htree_eof(file);
 
 	if (likely(dx_dir))
-		return generic_file_llseek_size(file, offset, whence,
+		ret = generic_file_llseek_size(file, offset, whence,
 						    htree_max, htree_max);
 	else
-		return ext4_llseek(file, offset, whence);
+		ret = ext4_llseek(file, offset, whence);
+	file->f_version = inode_peek_iversion(inode) - 1;
+	return ret;
 }
 
 /*