Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp28595imm; Fri, 21 Sep 2018 17:24:04 -0700 (PDT) X-Google-Smtp-Source: ACcGV60dG/5AmrsnofPzY4eriDW5tXl89H3+papTmVvFJ+Bgac7O2WwpHj1oRbqV8HQJu6K7++jV X-Received: by 2002:a17:902:bc8b:: with SMTP id bb11-v6mr128121plb.112.1537575844587; Fri, 21 Sep 2018 17:24:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537575844; cv=none; d=google.com; s=arc-20160816; b=nODT9oBu11My/G/wusxJVfSsGlWH1OGf9iDvDf86PGCsg0V94barZvZ7B7zPf5J+Ht VJZltFSqFyT0e0MTuB7/75BOV93IKNm0xVRxM/Dns1TYGufnERkVEsxxEi8ANK+z8vTL es6rfAfmRAuSYFa2zqskL0lT9O0ModuajvJ7SVz3SZQ6ResphldESEBAot1AY/WJFZ6T EQm0SlQsUviKBsdDrL9T1zZqsZhFNhF0GexoIt2d9ixtNznzUvkG/H4t1uX94yPbEyDz r0d7ft3LizOYwUpVpZ0UXlXKF1v5qSFcRI23kW7Zhva0Bmukoh8GD43wAVamJE14PXRP fd8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=swC+/MU0pi65rXMDvJJWRT2ZkLOlHoMfOFasiW3k+MU=; b=cru0VsbdElqzB9okVoW6uijEZqn5o0Jer2rqqC8e1hpqTi3Yxf1rYYsWXNy3uU+ley mZ3w3az2ozrn0Y/a7zu/XfI2SbvG639rclbA5Lyn76j3PK+cmf68ijZGCqhK4yk1XC2/ inDpJPOis2QLBtlrGND7W/+D3AV+yCI9XjukNpLYr8CEADURI2N/4+jDg/nIqvYhcquY P/vfMutxY3UaTdPDpe49YbNORn0xWapFrrmr2F3SeSKu1+4FAaDxQhd6FXg/WYw1v0zj bT636zZTAKozJlmGb3dFaDAVDAx1zUHav1GXVTBXmBpnxIKrFCSht+OGy4/AdLZ3E64Y mK8g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h187-v6si31810394pfb.62.2018.09.21.17.23.49; Fri, 21 Sep 2018 17:24:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392011AbeIVGN3 (ORCPT + 99 others); Sat, 22 Sep 2018 02:13:29 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:44237 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392006AbeIVGKs (ORCPT ); Sat, 22 Sep 2018 02:10:48 -0400 Received: from [2a02:8011:400e:2:cbab:f00:c93f:614] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1g3Vdy-0008BP-77; Sat, 22 Sep 2018 01:19:30 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1g3Vdo-0000sa-BE; Sat, 22 Sep 2018 01:19:20 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Theodore Ts'o" Date: Sat, 22 Sep 2018 01:15:42 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 36/63] jbd2: don't mark block as modified if the handle is out of credits In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:cbab:f00:c93f:614 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.58-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Theodore Ts'o commit e09463f220ca9a1a1ecfda84fcda658f99a1f12a upstream. Do not set the b_modified flag in block's journal head should not until after we're sure that jbd2_journal_dirty_metadat() will not abort with an error due to there not being enough space reserved in the jbd2 handle. Otherwise, future attempts to modify the buffer may lead a large number of spurious errors and warnings. This addresses CVE-2018-10883. https://bugzilla.kernel.org/show_bug.cgi?id=200071 Signed-off-by: Theodore Ts'o [bwh: Backported to 3.16: Drop the added logging statement, as it's on a code path that doesn't exist here] Signed-off-by: Ben Hutchings --- --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -1288,11 +1288,11 @@ int jbd2_journal_dirty_metadata(handle_t * of the transaction. This needs to be done * once a transaction -bzzz */ - jh->b_modified = 1; if (handle->h_buffer_credits <= 0) { ret = -ENOSPC; goto out_unlock_bh; } + jh->b_modified = 1; handle->h_buffer_credits--; }