Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2026662imm; Tue, 10 Jul 2018 11:52:04 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd+3GOl4z4WXiwp7ayFolNOHO/JJp2ZYGs9rsiIKooTXZ2A8/E+E7ocaR3FeMoUMLY5ZL3+ X-Received: by 2002:a63:a44a:: with SMTP id c10-v6mr18943825pgp.198.1531248724094; Tue, 10 Jul 2018 11:52:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531248724; cv=none; d=google.com; s=arc-20160816; b=EvwGQJPqJAvvj+7fYnGSULIutZctv/SjxkBUtkrK3Yhsj+GaXnGa+DPauT2k53bWji tCbbbtAMCzQRJFEWEdHb60+Xt5yMVYdVqqU3AWJAQLx3gjTqOf3YBsyFKxqlXI1Cnny1 YxzypgwsaoXm2FcRuwkPXhuRuSMWTdVnhk/FVUfzkwjz3jcFhuJTFVRHZ134fh54cpcb INLMIgnXAlk4WlNc/7bYqFenfCal6WAVhuI+EkV912VH4zNlkFFtlEHB47sqaRoHSbNx jvx4+FQw0lYrsDUOUeLvobfdVIuDnpsLDMoWs35ohJhng0qineMBKSJtFiDddsIxCUi9 izkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=+gI3VN3dPGBU09w61uPaVqxWYhjM69wLnxfdZV7m21A=; b=oqu1XRWIphobm/08O6T7TQeOcgp0EwFBzPWXyXvvqmN8X17pN8Uy38KyBOF0NFvxdg j7E/kFRFaNWVy9mj5Jni3j/QfVfYiI8XEi00ohv3pRYGb7AxI84NiQek6mvxUE5p+sIu CtB9PwfruWai8I3mG7EYI0Rmv4T/4oBBotqJyJohWmC7o8iRlV7m1+DyLuengmxF3eps 3yhq1/HE7KtMEE90BV38fuUopcb9pNiAWhS7t6lP4xzDWPdqjpnbpAMfncyX6X5tCSDX KDFoIF7tFMe1S+sz21x3K+YwtJfKeY14aj/lzvKwqf3Hj9/Sp/8wtvaYD2XTJcLSJ0GY kpwQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b39-v6si17138706plb.249.2018.07.10.11.51.49; Tue, 10 Jul 2018 11:52:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387989AbeGJSaR (ORCPT + 99 others); Tue, 10 Jul 2018 14:30:17 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:45524 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732565AbeGJSaQ (ORCPT ); Tue, 10 Jul 2018 14:30:16 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 3078EEB4; Tue, 10 Jul 2018 18:30:04 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Theodore Tso , stable@kernel.org Subject: [PATCH 4.9 26/52] jbd2: dont mark block as modified if the handle is out of credits Date: Tue, 10 Jul 2018 20:24:54 +0200 Message-Id: <20180710182451.959928409@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180710182449.285532226@linuxfoundation.org> References: <20180710182449.285532226@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit e09463f220ca9a1a1ecfda84fcda658f99a1f12a upstream. Do not set the b_modified flag in block's journal head should not until after we're sure that jbd2_journal_dirty_metadat() will not abort with an error due to there not being enough space reserved in the jbd2 handle. Otherwise, future attempts to modify the buffer may lead a large number of spurious errors and warnings. This addresses CVE-2018-10883. https://bugzilla.kernel.org/show_bug.cgi?id=200071 Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman --- fs/jbd2/transaction.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -1353,6 +1353,13 @@ int jbd2_journal_dirty_metadata(handle_t if (jh->b_transaction == transaction && jh->b_jlist != BJ_Metadata) { jbd_lock_bh_state(bh); + if (jh->b_transaction == transaction && + jh->b_jlist != BJ_Metadata) + pr_err("JBD2: assertion failure: h_type=%u " + "h_line_no=%u block_no=%llu jlist=%u\n", + handle->h_type, handle->h_line_no, + (unsigned long long) bh->b_blocknr, + jh->b_jlist); J_ASSERT_JH(jh, jh->b_transaction != transaction || jh->b_jlist == BJ_Metadata); jbd_unlock_bh_state(bh); @@ -1372,11 +1379,11 @@ int jbd2_journal_dirty_metadata(handle_t * of the transaction. This needs to be done * once a transaction -bzzz */ - jh->b_modified = 1; if (handle->h_buffer_credits <= 0) { ret = -ENOSPC; goto out_unlock_bh; } + jh->b_modified = 1; handle->h_buffer_credits--; }