Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3312470imu;
        Sun, 11 Nov 2018 12:08:43 -0800 (PST)
X-Google-Smtp-Source: AJdET5eU62ailGduHeWVAcCWOMcDm98txywWl5PDgiYbcuemSdkehUjerLtLbDXUmXyG7COFQ0kP
X-Received: by 2002:a17:902:a710:: with SMTP id w16-v6mr9731189plq.24.1541966923700;
        Sun, 11 Nov 2018 12:08:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541966923; cv=none;
        d=google.com; s=arc-20160816;
        b=x/yXpGJf+4rqHxtGMPGBL/nc4+oEgcj6eNz3IiiIShkHkWU0ddWQXBDRnC9E9MWSJB
         MGGxYjf+AmNpnfb9z4fGWXhX7H1YsPdc3Cuu+M6I9Lp2Zob87jOdF7Nn/sS/GzJmR/z4
         hnK82OVqKJon8+fASEJ87zoAiQWUci9yu9BQx76Qgx5vcpIn09gkN4liJUcoVxRs9C3q
         +cT8ThzqbOaixgexs+k5bEaFGcwwttrY+UU2uTt7ohKFtaNXbjZTgRuXKiD9O2TukPEx
         qiuT/Bd3HgGu4ZVj3+Pi2LJH6OUWU2y1RkJBxxhVJibAWYkVHRBz4/FpU8lw5wLKX4Fu
         z05g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=ukzTTLyQ9kXRJMpSxVgOzL9kr1YVzbibhsVeE/zKrLs=;
        b=H1YkDl6qaPIOXDMz3FRJ3gidzjkUy5ti30etgpM+V3Xil56E6t8pCvgJKYNONZoQHm
         Ejse2FHxjjNZQ9RS3beF3yGR2tGCaRz2m8msi6CYPhVUpE9n4T/4CrX+DnQZ5V9S2Yyx
         AA5uSiZa2ScpcTW98kw2SLvj3EfoAfEemY+YignFI90NfokUsL/i6fRzV5rodjOuGbto
         bUn+bKsLSsj7bixyikeRaQhppkJuzHeBQCDsPkE25WnqklNu+xoyrOIGv7E9qAUjyWJi
         0M7MvcgB9X4a8xpQV2AdqCbRLEZUp+MLT6ZJwP5f9ndxyZA+TEqlSyDFGLn2a4udnuF3
         Znig==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 129-v6si16758577pfy.164.2018.11.11.12.08.28;
        Sun, 11 Nov 2018 12:08:43 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731292AbeKLF4Y (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Mon, 12 Nov 2018 00:56:24 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:52044 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727449AbeKLF4X (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Nov 2018 00:56:23 -0500
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1gLvt7-0000oU-LR; Sun, 11 Nov 2018 19:59:17 +0000
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1gLvsQ-0001SU-2t; Sun, 11 Nov 2018 19:58:34 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, "Andreas Dilger" <adilger@dilger.ca>,
        "Theodore Ts'o" <tytso@mit.edu>
Date:   Sun, 11 Nov 2018 19:49:05 +0000
Message-ID: <lsq.1541965745.264978815@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 080/366] ext4: bubble errors from ext4_find_inline_data_nolock()
 up to ext4_iget()
In-Reply-To: <lsq.1541965744.387173642@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Theodore Ts'o <tytso@mit.edu>

commit eb9b5f01c33adebc31cbc236c02695f605b0e417 upstream.

If ext4_find_inline_data_nolock() returns an error it needs to get
reflected up to ext4_iget().  In order to fix this,
ext4_iget_extra_inode() needs to return an error (and not return
void).

This is related to "ext4: do not allow external inodes for inline
data" (which fixes CVE-2018-11412) in that in the errors=continue
case, it would be useful to for userspace to receive an error
indicating that file system is corrupted.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 fs/ext4/inode.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4159,19 +4159,21 @@ static blkcnt_t ext4_inode_blocks(struct
 	}
 }
 
-static inline void ext4_iget_extra_inode(struct inode *inode,
+static inline int ext4_iget_extra_inode(struct inode *inode,
 					 struct ext4_inode *raw_inode,
 					 struct ext4_inode_info *ei)
 {
 	__le32 *magic = (void *)raw_inode +
 			EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
+
 	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
 	    EXT4_INODE_SIZE(inode->i_sb) &&
 	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
 		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
-		ext4_find_inline_data_nolock(inode);
+		return ext4_find_inline_data_nolock(inode);
 	} else
 		EXT4_I(inode)->i_inline_off = 0;
+	return 0;
 }
 
 struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
@@ -4331,7 +4333,9 @@ struct inode *ext4_iget(struct super_blo
 			ei->i_extra_isize = sizeof(struct ext4_inode) -
 					    EXT4_GOOD_OLD_INODE_SIZE;
 		} else {
-			ext4_iget_extra_inode(inode, raw_inode, ei);
+			ret = ext4_iget_extra_inode(inode, raw_inode, ei);
+			if (ret)
+				goto bad_inode;
 		}
 	}