From 583664c6ae455baeac1c88404f314df5485e9f5b Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Mon, 9 Jul 2018 01:45:19 -0400 Subject: [PATCH] Rebase to v4.18-rc4 --- add-corruption-check-in-ext4_xattr_set_entry | 45 ------- add-ext4-journal-lazy-mount-option | 54 ++++----- add-journal-no-cleanup-option | 32 ++--- add-more-inode-number-paranoia-checks | 66 ----------- add-more-mount-time-superblock-checking | 92 --------------- add-warn-on-error-mount-option | 71 ----------- always-check-bg-bounds-in-ext4_init_block_bitmap | 52 --------- always-verify-magic-number-in-xattr-blocks | 42 ------- ...ournal-credits-when-appending-to-an-inline-file | 122 ------------------- check-superblock-mapped-prior-to-committing | 54 --------- ...hat-metadata-blocks-dont-overlap-bg-descriptors | 70 ----------- ...-in-ext4_inode_info-when-destroying-inline-data | 41 ------- ...er-has-modified-if-the-handle-is-out-of-credits | 51 -------- ...ude-illegal-physical-block-in-bad-map-error-msg | 24 ---- jbd2-suppress-extra-newline-in-jbd2_debug | 20 ---- journal-superblock-changes | 75 ++++++------ never-move-system.data-out-of-the-inode-body | 30 ----- only-look-at-bg_flags-if-valid | 130 --------------------- series | 18 +-- timestamps | 48 +++----- verify-depth-in-ext4_find_extent | 42 ------- 21 files changed, 94 insertions(+), 1085 deletions(-) delete mode 100644 add-corruption-check-in-ext4_xattr_set_entry delete mode 100644 add-more-inode-number-paranoia-checks delete mode 100644 add-more-mount-time-superblock-checking delete mode 100644 add-warn-on-error-mount-option delete mode 100644 always-check-bg-bounds-in-ext4_init_block_bitmap delete mode 100644 always-verify-magic-number-in-xattr-blocks delete mode 100644 avoid-running-out-journal-credits-when-appending-to-an-inline-file delete mode 100644 check-superblock-mapped-prior-to-committing delete mode 100644 check-that-metadata-blocks-dont-overlap-bg-descriptors delete mode 100644 clear-i_data-in-ext4_inode_info-when-destroying-inline-data delete mode 100644 dont-mark-buffer-has-modified-if-the-handle-is-out-of-credits delete mode 100644 include-illegal-physical-block-in-bad-map-error-msg delete mode 100644 jbd2-suppress-extra-newline-in-jbd2_debug delete mode 100644 never-move-system.data-out-of-the-inode-body delete mode 100644 only-look-at-bg_flags-if-valid delete mode 100644 verify-depth-in-ext4_find_extent diff --git a/add-corruption-check-in-ext4_xattr_set_entry b/add-corruption-check-in-ext4_xattr_set_entry deleted file mode 100644 index 5de70929..00000000 --- a/add-corruption-check-in-ext4_xattr_set_entry +++ /dev/null @@ -1,45 +0,0 @@ -ext4: add corruption check in ext4_xattr_set_entry() - -In theory this should have been caught earlier when the xattr list was -verified, but in case it got missed, it's simple enough to add check -to make sure we don't overrun the xattr buffer. - -This addresses CVE-2018-10879. - -https://bugzilla.kernel.org/show_bug.cgi?id=200001 - -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger -Cc: stable@kernel.org ---- - fs/ext4/xattr.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index fc4ced59c565..230ba79715f6 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -1560,7 +1560,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, - handle_t *handle, struct inode *inode, - bool is_block) - { -- struct ext4_xattr_entry *last; -+ struct ext4_xattr_entry *last, *next; - struct ext4_xattr_entry *here = s->here; - size_t min_offs = s->end - s->base, name_len = strlen(i->name); - int in_inode = i->in_inode; -@@ -1595,7 +1595,13 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i, - - /* Compute min_offs and last. */ - last = s->first; -- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { -+ for (; !IS_LAST_ENTRY(last); last = next) { -+ next = EXT4_XATTR_NEXT(last); -+ if ((void *)next >= s->end) { -+ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); -+ ret = -EFSCORRUPTED; -+ goto out; -+ } - if (!last->e_value_inum && last->e_value_size) { - size_t offs = le16_to_cpu(last->e_value_offs); - if (offs < min_offs) diff --git a/add-ext4-journal-lazy-mount-option b/add-ext4-journal-lazy-mount-option index 14cf8b7a..73d77ce6 100644 --- a/add-ext4-journal-lazy-mount-option +++ b/add-ext4-journal-lazy-mount-option @@ -14,22 +14,22 @@ Signed-off-by: Theodore Ts'o 4 files changed, 78 insertions(+), 23 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index d1389c9fb8a1..fa05cccda31c 100644 +index fc2bdaa71c44..e19b6bac2d91 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h -@@ -1109,6 +1109,7 @@ struct ext4_inode_info { - #define EXT4_MOUNT_JOURNAL_CHECKSUM 0x800000 /* Journal checksums */ - #define EXT4_MOUNT_JOURNAL_ASYNC_COMMIT 0x1000000 /* Journal Async Commit */ - #define EXT4_MOUNT_JOURNAL_NOCLEANUP 0x2000000 /* Preserve the journal on unmount */ -+#define EXT4_MOUNT_JOURNAL_LAZY 0x4000000 /* Do lazy writeback of journalled metadata */ - #define EXT4_MOUNT_DELALLOC 0x8000000 /* Delalloc support */ - #define EXT4_MOUNT_DATA_ERR_ABORT 0x10000000 /* Abort on file data write */ - #define EXT4_MOUNT_BLOCK_VALIDITY 0x20000000 /* Block validity checking */ +@@ -1079,6 +1079,7 @@ struct ext4_inode_info { + * Mount flags set via mount options or defaults + */ + #define EXT4_MOUNT_NO_MBCACHE 0x00001 /* Do not use mbcache */ ++#define EXT4_MOUNT_JOURNAL_LAZY 0x00002 /* Do lazy writeback of journalled metadata */ + #define EXT4_MOUNT_GRPID 0x00004 /* Create files with directory's group */ + #define EXT4_MOUNT_DEBUG 0x00008 /* Some debugging messages */ + #define EXT4_MOUNT_ERRORS_CONT 0x00010 /* Continue on errors */ diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index baa9f5ea16f1..a709e77016e0 100644 +index 3969d0278469..d43c326f4048 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c -@@ -3275,7 +3275,7 @@ static sector_t ext4_bmap(struct address_space *mapping, sector_t block) +@@ -3287,7 +3287,7 @@ static sector_t ext4_bmap(struct address_space *mapping, sector_t block) filemap_write_and_wait(mapping); } @@ -39,10 +39,10 @@ index baa9f5ea16f1..a709e77016e0 100644 /* * This is a REALLY heavyweight approach, but the use of diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c -index 1eec25014f62..1d1bf751d142 100644 +index a7074115d6f6..8556d6003d15 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c -@@ -242,6 +242,20 @@ static int ext4_ioctl_setflags(struct inode *inode, +@@ -239,6 +239,20 @@ static int ext4_ioctl_setflags(struct inode *inode, if (!capable(CAP_SYS_RESOURCE)) goto flags_out; } @@ -63,7 +63,7 @@ index 1eec25014f62..1d1bf751d142 100644 if ((flags ^ oldflags) & EXT4_EXTENTS_FL) migrate = 1; -@@ -630,6 +644,22 @@ static long ext4_ioctl_group_add(struct file *file, +@@ -626,6 +640,22 @@ static long ext4_ioctl_group_add(struct file *file, return err; } @@ -86,7 +86,7 @@ index 1eec25014f62..1d1bf751d142 100644 long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { struct inode *inode = file_inode(filp); -@@ -748,11 +778,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) +@@ -744,11 +774,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) goto group_extend_out; err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count); @@ -99,7 +99,7 @@ index 1eec25014f62..1d1bf751d142 100644 if (err == 0) err = err2; mnt_drop_write_file(filp); -@@ -890,11 +916,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) +@@ -886,11 +912,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) goto resizefs_out; err = ext4_resize_fs(sb, n_blocks_count); @@ -113,10 +113,10 @@ index 1eec25014f62..1d1bf751d142 100644 err = err2; mnt_drop_write_file(filp); diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 06da44b3d8e1..ba9a6ef78454 100644 +index 9339717b85c8..406e4d4ffae0 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c -@@ -888,7 +888,8 @@ static void ext4_put_super(struct super_block *sb) +@@ -928,7 +928,8 @@ static void ext4_put_super(struct super_block *sb) ext4_mb_release(sb); ext4_ext_release(sb); @@ -126,7 +126,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 ext4_clear_feature_journal_needs_recovery(sb); es->s_state = cpu_to_le16(sbi->s_mount_state); } -@@ -1349,6 +1350,7 @@ enum { +@@ -1384,6 +1385,7 @@ enum { Opt_inode_readahead_blks, Opt_journal_ioprio, Opt_dioread_nolock, Opt_dioread_lock, Opt_journal_nocleanup, Opt_journal_cleanup, @@ -134,7 +134,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 Opt_discard, Opt_nodiscard, Opt_init_itable, Opt_noinit_itable, Opt_max_dir_size_kb, Opt_nojournal_checksum, Opt_nombcache, }; -@@ -1437,6 +1439,8 @@ static const match_table_t tokens = { +@@ -1474,6 +1476,8 @@ static const match_table_t tokens = { {Opt_nombcache, "no_mbcache"}, /* for backward compatibility */ {Opt_journal_nocleanup, "journal_nocleanup"}, {Opt_journal_cleanup, "journal_cleanup"}, @@ -143,7 +143,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 {Opt_removed, "check=none"}, /* mount option from ext2/3 */ {Opt_removed, "nocheck"}, /* mount option from ext2/3 */ {Opt_removed, "reservation"}, /* mount option from ext2/3 */ -@@ -1647,6 +1651,8 @@ static const struct mount_opts { +@@ -1686,6 +1690,8 @@ static const struct mount_opts { {Opt_nombcache, EXT4_MOUNT_NO_MBCACHE, MOPT_SET}, {Opt_journal_nocleanup, EXT4_MOUNT_JOURNAL_NOCLEANUP, MOPT_SET}, {Opt_journal_cleanup, EXT4_MOUNT_JOURNAL_NOCLEANUP, MOPT_CLEAR}, @@ -152,7 +152,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 {Opt_err, 0, 0} }; -@@ -4456,6 +4462,10 @@ static void ext4_init_journal_params(struct super_block *sb, journal_t *journal) +@@ -4570,6 +4576,10 @@ static void ext4_init_journal_params(struct super_block *sb, journal_t *journal) journal->j_flags |= JBD2_NO_CLEANUP; else journal->j_flags &= ~JBD2_NO_CLEANUP; @@ -163,7 +163,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 write_unlock(&journal->j_state_lock); } -@@ -4690,6 +4700,24 @@ static int ext4_load_journal(struct super_block *sb, +@@ -4804,6 +4814,24 @@ static int ext4_load_journal(struct super_block *sb, EXT4_SB(sb)->s_journal = journal; ext4_clear_journal_err(sb, es); @@ -188,7 +188,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 return 0; } -@@ -4776,6 +4804,9 @@ static void ext4_mark_recovery_complete(struct super_block *sb, +@@ -4894,6 +4922,9 @@ static void ext4_mark_recovery_complete(struct super_block *sb, { journal_t *journal = EXT4_SB(sb)->s_journal; @@ -198,7 +198,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 if (!ext4_has_feature_journal(sb)) { BUG_ON(journal != NULL); return; -@@ -4911,21 +4942,20 @@ static int ext4_freeze(struct super_block *sb) +@@ -5029,21 +5060,20 @@ static int ext4_freeze(struct super_block *sb) journal = EXT4_SB(sb)->s_journal; if (journal) { @@ -229,7 +229,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 error = ext4_commit_super(sb, 1); out: if (journal) -@@ -4943,7 +4973,7 @@ static int ext4_unfreeze(struct super_block *sb) +@@ -5061,7 +5091,7 @@ static int ext4_unfreeze(struct super_block *sb) if (sb_rdonly(sb) || ext4_forced_shutdown(EXT4_SB(sb))) return 0; @@ -238,7 +238,7 @@ index 06da44b3d8e1..ba9a6ef78454 100644 /* Reset the needs_recovery flag before the fs is unlocked. */ ext4_set_feature_journal_needs_recovery(sb); } -@@ -5469,6 +5499,8 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, +@@ -5595,6 +5625,8 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id, * We don't need to lock updates but journal_flush() could * otherwise be livelocked... */ diff --git a/add-journal-no-cleanup-option b/add-journal-no-cleanup-option index 831bd740..2d04fecf 100644 --- a/add-journal-no-cleanup-option +++ b/add-journal-no-cleanup-option @@ -12,22 +12,22 @@ Signed-off-by: Theodore Ts'o 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 4e091eae38b1..d1389c9fb8a1 100644 +index 7c7123f265c2..fc2bdaa71c44 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h -@@ -1108,6 +1108,7 @@ struct ext4_inode_info { - #define EXT4_MOUNT_DIOREAD_NOLOCK 0x400000 /* Enable support for dio read nolocking */ +@@ -1115,6 +1115,7 @@ struct ext4_inode_info { #define EXT4_MOUNT_JOURNAL_CHECKSUM 0x800000 /* Journal checksums */ #define EXT4_MOUNT_JOURNAL_ASYNC_COMMIT 0x1000000 /* Journal Async Commit */ -+#define EXT4_MOUNT_JOURNAL_NOCLEANUP 0x2000000 /* Preserve the journal on unmount */ + #define EXT4_MOUNT_WARN_ON_ERROR 0x2000000 /* Trigger WARN_ON on error */ ++#define EXT4_MOUNT_JOURNAL_NOCLEANUP 0x4000000 /* Preserve the journal on unmount */ #define EXT4_MOUNT_DELALLOC 0x8000000 /* Delalloc support */ #define EXT4_MOUNT_DATA_ERR_ABORT 0x10000000 /* Abort on file data write */ #define EXT4_MOUNT_BLOCK_VALIDITY 0x20000000 /* Block validity checking */ diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 6783af7ec115..06da44b3d8e1 100644 +index ae86983cbf60..9339717b85c8 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c -@@ -888,7 +888,7 @@ static void ext4_put_super(struct super_block *sb) +@@ -928,7 +928,7 @@ static void ext4_put_super(struct super_block *sb) ext4_mb_release(sb); ext4_ext_release(sb); @@ -36,7 +36,7 @@ index 6783af7ec115..06da44b3d8e1 100644 ext4_clear_feature_journal_needs_recovery(sb); es->s_state = cpu_to_le16(sbi->s_mount_state); } -@@ -1348,6 +1348,7 @@ enum { +@@ -1383,6 +1383,7 @@ enum { Opt_nomblk_io_submit, Opt_block_validity, Opt_noblock_validity, Opt_inode_readahead_blks, Opt_journal_ioprio, Opt_dioread_nolock, Opt_dioread_lock, @@ -44,7 +44,7 @@ index 6783af7ec115..06da44b3d8e1 100644 Opt_discard, Opt_nodiscard, Opt_init_itable, Opt_noinit_itable, Opt_max_dir_size_kb, Opt_nojournal_checksum, Opt_nombcache, }; -@@ -1434,6 +1435,8 @@ static const match_table_t tokens = { +@@ -1471,6 +1472,8 @@ static const match_table_t tokens = { {Opt_test_dummy_encryption, "test_dummy_encryption"}, {Opt_nombcache, "nombcache"}, {Opt_nombcache, "no_mbcache"}, /* for backward compatibility */ @@ -53,7 +53,7 @@ index 6783af7ec115..06da44b3d8e1 100644 {Opt_removed, "check=none"}, /* mount option from ext2/3 */ {Opt_removed, "nocheck"}, /* mount option from ext2/3 */ {Opt_removed, "reservation"}, /* mount option from ext2/3 */ -@@ -1642,6 +1645,8 @@ static const struct mount_opts { +@@ -1681,6 +1684,8 @@ static const struct mount_opts { {Opt_max_dir_size_kb, 0, MOPT_GTE0}, {Opt_test_dummy_encryption, 0, MOPT_GTE0}, {Opt_nombcache, EXT4_MOUNT_NO_MBCACHE, MOPT_SET}, @@ -62,7 +62,7 @@ index 6783af7ec115..06da44b3d8e1 100644 {Opt_err, 0, 0} }; -@@ -4447,6 +4452,10 @@ static void ext4_init_journal_params(struct super_block *sb, journal_t *journal) +@@ -4561,6 +4566,10 @@ static void ext4_init_journal_params(struct super_block *sb, journal_t *journal) journal->j_flags |= JBD2_ABORT_ON_SYNCDATA_ERR; else journal->j_flags &= ~JBD2_ABORT_ON_SYNCDATA_ERR; @@ -74,10 +74,10 @@ index 6783af7ec115..06da44b3d8e1 100644 } diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c -index b01f07f65d59..218c50dd9dfc 100644 +index 8ef6b6daaa7a..860ab3c802a4 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c -@@ -1724,6 +1724,11 @@ int jbd2_journal_destroy(journal_t *journal) +@@ -1727,6 +1727,11 @@ int jbd2_journal_destroy(journal_t *journal) if (journal->j_running_transaction) jbd2_journal_commit_transaction(journal); @@ -89,7 +89,7 @@ index b01f07f65d59..218c50dd9dfc 100644 /* Force any old transactions to disk */ /* Totally anal locking here... */ -@@ -1751,7 +1756,9 @@ int jbd2_journal_destroy(journal_t *journal) +@@ -1754,7 +1759,9 @@ int jbd2_journal_destroy(journal_t *journal) spin_unlock(&journal->j_list_lock); if (journal->j_sb_buffer) { @@ -100,7 +100,7 @@ index b01f07f65d59..218c50dd9dfc 100644 mutex_lock_io(&journal->j_checkpoint_mutex); write_lock(&journal->j_state_lock); -@@ -1762,8 +1769,7 @@ int jbd2_journal_destroy(journal_t *journal) +@@ -1765,8 +1772,7 @@ int jbd2_journal_destroy(journal_t *journal) jbd2_mark_journal_empty(journal, REQ_SYNC | REQ_PREFLUSH | REQ_FUA); mutex_unlock(&journal->j_checkpoint_mutex); @@ -111,10 +111,10 @@ index b01f07f65d59..218c50dd9dfc 100644 } diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h -index 296d1e0ea87b..58ec2b764abd 100644 +index b708e5169d1d..81fa9fa7ce9c 100644 --- a/include/linux/jbd2.h +++ b/include/linux/jbd2.h -@@ -1130,6 +1130,7 @@ JBD2_FEATURE_INCOMPAT_FUNCS(csum3, CSUM_V3) +@@ -1235,6 +1235,7 @@ JBD2_FEATURE_INCOMPAT_FUNCS(csum3, CSUM_V3) * data write error in ordered * mode */ #define JBD2_REC_ERR 0x080 /* The errno in the sb has been recorded */ diff --git a/add-more-inode-number-paranoia-checks b/add-more-inode-number-paranoia-checks deleted file mode 100644 index 4f524dfc..00000000 --- a/add-more-inode-number-paranoia-checks +++ /dev/null @@ -1,66 +0,0 @@ -ext4: add more inode number paranoia checks - -If there is a directory entry pointing to a system inode (such as a -journal inode), complain and declare the file system to be corrupted. - -Also, if the superblock's first inode number field is too small, -refuse to mount the file system. - -This addresses CVE-2018-10882. - -https://bugzilla.kernel.org/show_bug.cgi?id=200069 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/ext4.h | 5 ----- - fs/ext4/inode.c | 3 ++- - fs/ext4/super.c | 5 +++++ - 3 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 859d6433dcc1..4bd69649a048 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -1502,11 +1502,6 @@ static inline struct ext4_inode_info *EXT4_I(struct inode *inode) - static inline int ext4_valid_inum(struct super_block *sb, unsigned long ino) - { - return ino == EXT4_ROOT_INO || -- ino == EXT4_USR_QUOTA_INO || -- ino == EXT4_GRP_QUOTA_INO || -- ino == EXT4_BOOT_LOADER_INO || -- ino == EXT4_JOURNAL_INO || -- ino == EXT4_RESIZE_INO || - (ino >= EXT4_FIRST_INO(sb) && - ino <= le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)); - } -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index c2f4ccb880c4..7d6c10017bdf 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -4506,7 +4506,8 @@ static int __ext4_get_inode_loc(struct inode *inode, - int inodes_per_block, inode_offset; - - iloc->bh = NULL; -- if (!ext4_valid_inum(sb, inode->i_ino)) -+ if (inode->i_ino < EXT4_ROOT_INO || -+ inode->i_ino > le32_to_cpu(EXT4_SB(sb)->s_es->s_inodes_count)) - return -EFSCORRUPTED; - - iloc->block_group = (inode->i_ino - 1) / EXT4_INODES_PER_GROUP(sb); -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 4d34430d75f6..1f955c128e0d 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -3858,6 +3858,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - } else { - sbi->s_inode_size = le16_to_cpu(es->s_inode_size); - sbi->s_first_ino = le32_to_cpu(es->s_first_ino); -+ if (sbi->s_first_ino < EXT4_GOOD_OLD_FIRST_INO) { -+ ext4_msg(sb, KERN_ERR, "invalid first ino: %u", -+ sbi->s_first_ino); -+ goto failed_mount; -+ } - if ((sbi->s_inode_size < EXT4_GOOD_OLD_INODE_SIZE) || - (!is_power_of_2(sbi->s_inode_size)) || - (sbi->s_inode_size > blocksize)) { diff --git a/add-more-mount-time-superblock-checking b/add-more-mount-time-superblock-checking deleted file mode 100644 index 381637fc..00000000 --- a/add-more-mount-time-superblock-checking +++ /dev/null @@ -1,92 +0,0 @@ -ext4: add more mount time checks of the superblock - -The kernel's ext4 mount-time checks were more permissive than -e2fsprogs's libext2fs checks when opening a file system. The -superblock is considered too insane for debugfs or e2fsck to operate -on it, the kernel has no business trying to mount it. - -This will make file system fuzzing tools work harder, but the failure -cases that they find will be more useful and be easier to evaluate. - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/super.c | 37 ++++++++++++++++++++++++++----------- - 1 file changed, 26 insertions(+), 11 deletions(-) - -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 1f955c128e0d..b37b00befd65 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -3793,6 +3793,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - le32_to_cpu(es->s_log_block_size)); - goto failed_mount; - } -+ if (le32_to_cpu(es->s_log_cluster_size) > -+ (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { -+ ext4_msg(sb, KERN_ERR, -+ "Invalid log cluster size: %u", -+ le32_to_cpu(es->s_log_cluster_size)); -+ goto failed_mount; -+ } - - if (le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks) > (blocksize / 4)) { - ext4_msg(sb, KERN_ERR, -@@ -3939,13 +3946,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - "block size (%d)", clustersize, blocksize); - goto failed_mount; - } -- if (le32_to_cpu(es->s_log_cluster_size) > -- (EXT4_MAX_CLUSTER_LOG_SIZE - EXT4_MIN_BLOCK_LOG_SIZE)) { -- ext4_msg(sb, KERN_ERR, -- "Invalid log cluster size: %u", -- le32_to_cpu(es->s_log_cluster_size)); -- goto failed_mount; -- } - sbi->s_cluster_bits = le32_to_cpu(es->s_log_cluster_size) - - le32_to_cpu(es->s_log_block_size); - sbi->s_clusters_per_group = -@@ -3966,10 +3966,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - } - } else { - if (clustersize != blocksize) { -- ext4_warning(sb, "fragment/cluster size (%d) != " -- "block size (%d)", clustersize, -- blocksize); -- clustersize = blocksize; -+ ext4_msg(sb, KERN_ERR, -+ "fragment/cluster size (%d) != " -+ "block size (%d)", clustersize, blocksize); -+ goto failed_mount; - } - if (sbi->s_blocks_per_group > blocksize * 8) { - ext4_msg(sb, KERN_ERR, -@@ -4023,6 +4023,13 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - ext4_blocks_count(es)); - goto failed_mount; - } -+ if ((es->s_first_data_block == 0) && (es->s_log_block_size == 0) && -+ (sbi->s_cluster_ratio == 1)) { -+ ext4_msg(sb, KERN_WARNING, "bad geometry: first data " -+ "block is 0 with a 1k block and cluster size"); -+ goto failed_mount; -+ } -+ - blocks_count = (ext4_blocks_count(es) - - le32_to_cpu(es->s_first_data_block) + - EXT4_BLOCKS_PER_GROUP(sb) - 1); -@@ -4058,6 +4065,14 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) - ret = -ENOMEM; - goto failed_mount; - } -+ if (((u64)sbi->s_groups_count * sbi->s_inodes_per_group) != -+ le32_to_cpu(es->s_inodes_count)) { -+ ext4_msg(sb, KERN_ERR, "inodes count not valid: %u vs %llu", -+ le32_to_cpu(es->s_inodes_count), -+ ((u64)sbi->s_groups_count * sbi->s_inodes_per_group)); -+ ret = -EINVAL; -+ goto failed_mount; -+ } - - bgl_lock_init(sbi->s_blockgroup_lock); - diff --git a/add-warn-on-error-mount-option b/add-warn-on-error-mount-option deleted file mode 100644 index 1908e15d..00000000 --- a/add-warn-on-error-mount-option +++ /dev/null @@ -1,71 +0,0 @@ -ext4: add warn_on_error mount option - -This is very handy when debugging bugs handling maliciously corrupted -file systems. - -Signed-off-by: Theodore Ts'o ---- -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index fa52b7dd4542..856b6a54d82b 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -1108,6 +1108,7 @@ struct ext4_inode_info { - #define EXT4_MOUNT_DIOREAD_NOLOCK 0x400000 /* Enable support for dio read nolocking */ - #define EXT4_MOUNT_JOURNAL_CHECKSUM 0x800000 /* Journal checksums */ - #define EXT4_MOUNT_JOURNAL_ASYNC_COMMIT 0x1000000 /* Journal Async Commit */ -+#define EXT4_MOUNT_WARN_ON_ERROR 0x2000000 /* Trigger WARN_ON on error */ - #define EXT4_MOUNT_DELALLOC 0x8000000 /* Delalloc support */ - #define EXT4_MOUNT_DATA_ERR_ABORT 0x10000000 /* Abort on file data write */ - #define EXT4_MOUNT_BLOCK_VALIDITY 0x20000000 /* Block validity checking */ -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index c1c5c8775ae7..c8b7b8302e90 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -405,6 +405,9 @@ static void ext4_journal_commit_callback(journal_t *journal, transaction_t *txn) - - static void ext4_handle_error(struct super_block *sb) - { -+ if (test_opt(sb, WARN_ON_ERROR)) -+ WARN_ON_ONCE(1); -+ - if (sb_rdonly(sb)) - return; - -@@ -740,6 +743,9 @@ __acquires(bitlock) - va_end(args); - } - -+ if (test_opt(sb, WARN_ON_ERROR)) -+ WARN_ON_ONCE(1); -+ - if (test_opt(sb, ERRORS_CONT)) { - ext4_commit_super(sb, 0); - return; -@@ -1377,7 +1383,8 @@ enum { - Opt_jqfmt_vfsold, Opt_jqfmt_vfsv0, Opt_jqfmt_vfsv1, Opt_quota, - Opt_noquota, Opt_barrier, Opt_nobarrier, Opt_err, - Opt_usrquota, Opt_grpquota, Opt_prjquota, Opt_i_version, Opt_dax, -- Opt_stripe, Opt_delalloc, Opt_nodelalloc, Opt_mblk_io_submit, -+ Opt_stripe, Opt_delalloc, Opt_nodelalloc, Opt_warn_on_error, -+ Opt_nowarn_on_error, Opt_mblk_io_submit, - Opt_lazytime, Opt_nolazytime, Opt_debug_want_extra_isize, - Opt_nomblk_io_submit, Opt_block_validity, Opt_noblock_validity, - Opt_inode_readahead_blks, Opt_journal_ioprio, -@@ -1444,6 +1451,8 @@ static const match_table_t tokens = { - {Opt_dax, "dax"}, - {Opt_stripe, "stripe=%u"}, - {Opt_delalloc, "delalloc"}, -+ {Opt_warn_on_error, "warn_on_error"}, -+ {Opt_nowarn_on_error, "nowarn_on_error"}, - {Opt_lazytime, "lazytime"}, - {Opt_nolazytime, "nolazytime"}, - {Opt_debug_want_extra_isize, "debug_want_extra_isize=%u"}, -@@ -1608,6 +1617,8 @@ static const struct mount_opts { - MOPT_EXT4_ONLY | MOPT_SET | MOPT_EXPLICIT}, - {Opt_nodelalloc, EXT4_MOUNT_DELALLOC, - MOPT_EXT4_ONLY | MOPT_CLEAR}, -+ {Opt_warn_on_error, EXT4_MOUNT_WARN_ON_ERROR, MOPT_SET}, -+ {Opt_nowarn_on_error, EXT4_MOUNT_WARN_ON_ERROR, MOPT_CLEAR}, - {Opt_nojournal_checksum, EXT4_MOUNT_JOURNAL_CHECKSUM, - MOPT_EXT4_ONLY | MOPT_CLEAR}, - {Opt_journal_checksum, EXT4_MOUNT_JOURNAL_CHECKSUM, diff --git a/always-check-bg-bounds-in-ext4_init_block_bitmap b/always-check-bg-bounds-in-ext4_init_block_bitmap deleted file mode 100644 index 5148d1ab..00000000 --- a/always-check-bg-bounds-in-ext4_init_block_bitmap +++ /dev/null @@ -1,52 +0,0 @@ -ext4: always check block group bounds in ext4_init_block_bitmap() - -Regardless of whether the flex_bg feature is set, we should always -check to make sure the bits we are setting in the block bitmap are -within the block group bounds. - -https://bugzilla.kernel.org/show_bug.cgi?id=199865 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/balloc.c | 10 +++------- - 1 files changed, 28 insertions(+), 7 deletions(-) - -diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c -index b00481c475cb..8a2e202ade8a 100644 ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -184,7 +184,6 @@ static int ext4_init_block_bitmap(struct super_block *sb, - unsigned int bit, bit_max; - struct ext4_sb_info *sbi = EXT4_SB(sb); - ext4_fsblk_t start, tmp; -- int flex_bg = 0; - - J_ASSERT_BH(bh, buffer_locked(bh)); - -@@ -207,22 +206,19 @@ static int ext4_init_block_bitmap(struct super_block *sb, - - start = ext4_group_first_block_no(sb, block_group); - -- if (ext4_has_feature_flex_bg(sb)) -- flex_bg = 1; -- - /* Set bits for block and inode bitmaps, and inode table */ - tmp = ext4_block_bitmap(sb, gdp); -- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) -+ if (ext4_block_in_group(sb, tmp, block_group)) - ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); - - tmp = ext4_inode_bitmap(sb, gdp); -- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) -+ if (ext4_block_in_group(sb, tmp, block_group)) - ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); - - tmp = ext4_inode_table(sb, gdp); - for (; tmp < ext4_inode_table(sb, gdp) + - sbi->s_itb_per_group; tmp++) { -- if (!flex_bg || ext4_block_in_group(sb, tmp, block_group)) -+ if (ext4_block_in_group(sb, tmp, block_group)) - ext4_set_bit(EXT4_B2C(sbi, tmp - start), bh->b_data); - } - diff --git a/always-verify-magic-number-in-xattr-blocks b/always-verify-magic-number-in-xattr-blocks deleted file mode 100644 index 6308e2bf..00000000 --- a/always-verify-magic-number-in-xattr-blocks +++ /dev/null @@ -1,42 +0,0 @@ -ext4: always verify the magic number in xattr blocks - -If there an inode points to a block which is also some other type of -metadata block (such as a block allocation bitmap), the -buffer_verified flag can be set when it was validated as that other -metadata block type; however, it would make a really terrible external -attribute block. The reason why we use the verified flag is to avoid -constantly reverifying the block. However, it doesn't take much -overhead to make sure the magic number of the xattr block is correct, -and this will avoid potential crashes. - -This addresses CVE-2018-10879. - -https://bugzilla.kernel.org/show_bug.cgi?id=200001 - -Signed-off-by: Theodore Ts'o -Reviewed-by: Andreas Dilger -Cc: stable@kernel.org ---- - fs/ext4/xattr.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index 230ba79715f6..0263692979ec 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -230,12 +230,12 @@ __ext4_xattr_check_block(struct inode *inode, struct buffer_head *bh, - { - int error = -EFSCORRUPTED; - -- if (buffer_verified(bh)) -- return 0; -- - if (BHDR(bh)->h_magic != cpu_to_le32(EXT4_XATTR_MAGIC) || - BHDR(bh)->h_blocks != cpu_to_le32(1)) - goto errout; -+ if (buffer_verified(bh)) -+ return 0; -+ - error = -EFSBADCRC; - if (!ext4_xattr_block_csum_verify(inode, bh)) - goto errout; diff --git a/avoid-running-out-journal-credits-when-appending-to-an-inline-file b/avoid-running-out-journal-credits-when-appending-to-an-inline-file deleted file mode 100644 index 220b4410..00000000 --- a/avoid-running-out-journal-credits-when-appending-to-an-inline-file +++ /dev/null @@ -1,122 +0,0 @@ -ext4: avoid running out of journal credits when appending to an inline file - -Use a separate journal transaction if it turns out that we need to -convert an inline file to use an data block. Otherwise we could end -up failing due to not having journal credits. - -This addresses CVE-2018-10883. - -https://bugzilla.kernel.org/show_bug.cgi?id=200071 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/ext4.h | 3 --- - fs/ext4/inline.c | 38 +------------------------------------- - fs/ext4/xattr.c | 19 ++----------------- - 3 files changed, 3 insertions(+), 57 deletions(-) - -diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h -index 856b6a54d82b..859d6433dcc1 100644 ---- a/fs/ext4/ext4.h -+++ b/fs/ext4/ext4.h -@@ -3013,9 +3013,6 @@ extern int ext4_inline_data_fiemap(struct inode *inode, - struct iomap; - extern int ext4_inline_data_iomap(struct inode *inode, struct iomap *iomap); - --extern int ext4_try_to_evict_inline_data(handle_t *handle, -- struct inode *inode, -- int needed); - extern int ext4_inline_data_truncate(struct inode *inode, int *has_inline); - - extern int ext4_convert_inline_data(struct inode *inode); -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index d79115d8d716..851bc552d849 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -887,11 +887,11 @@ int ext4_da_write_inline_data_begin(struct address_space *mapping, - flags |= AOP_FLAG_NOFS; - - if (ret == -ENOSPC) { -+ ext4_journal_stop(handle); - ret = ext4_da_convert_inline_data_to_extent(mapping, - inode, - flags, - fsdata); -- ext4_journal_stop(handle); - if (ret == -ENOSPC && - ext4_should_retry_alloc(inode->i_sb, &retries)) - goto retry_journal; -@@ -1891,42 +1891,6 @@ int ext4_inline_data_fiemap(struct inode *inode, - return (error < 0 ? error : 0); - } - --/* -- * Called during xattr set, and if we can sparse space 'needed', -- * just create the extent tree evict the data to the outer block. -- * -- * We use jbd2 instead of page cache to move data to the 1st block -- * so that the whole transaction can be committed as a whole and -- * the data isn't lost because of the delayed page cache write. -- */ --int ext4_try_to_evict_inline_data(handle_t *handle, -- struct inode *inode, -- int needed) --{ -- int error; -- struct ext4_xattr_entry *entry; -- struct ext4_inode *raw_inode; -- struct ext4_iloc iloc; -- -- error = ext4_get_inode_loc(inode, &iloc); -- if (error) -- return error; -- -- raw_inode = ext4_raw_inode(&iloc); -- entry = (struct ext4_xattr_entry *)((void *)raw_inode + -- EXT4_I(inode)->i_inline_off); -- if (EXT4_XATTR_LEN(entry->e_name_len) + -- EXT4_XATTR_SIZE(le32_to_cpu(entry->e_value_size)) < needed) { -- error = -ENOSPC; -- goto out; -- } -- -- error = ext4_convert_inline_data_nolock(handle, inode, &iloc); --out: -- brelse(iloc.bh); -- return error; --} -- - int ext4_inline_data_truncate(struct inode *inode, int *has_inline) - { - handle_t *handle; -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index 72377b77fbd7..723df14f4084 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -2212,23 +2212,8 @@ int ext4_xattr_ibody_inline_set(handle_t *handle, struct inode *inode, - if (EXT4_I(inode)->i_extra_isize == 0) - return -ENOSPC; - error = ext4_xattr_set_entry(i, s, handle, inode, false /* is_block */); -- if (error) { -- if (error == -ENOSPC && -- ext4_has_inline_data(inode)) { -- error = ext4_try_to_evict_inline_data(handle, inode, -- EXT4_XATTR_LEN(strlen(i->name) + -- EXT4_XATTR_SIZE(i->value_len))); -- if (error) -- return error; -- error = ext4_xattr_ibody_find(inode, i, is); -- if (error) -- return error; -- error = ext4_xattr_set_entry(i, s, handle, inode, -- false /* is_block */); -- } -- if (error) -- return error; -- } -+ if (error) -+ return error; - header = IHDR(inode, ext4_raw_inode(&is->iloc)); - if (!IS_LAST_ENTRY(s->first)) { - header->h_magic = cpu_to_le32(EXT4_XATTR_MAGIC); diff --git a/check-superblock-mapped-prior-to-committing b/check-superblock-mapped-prior-to-committing deleted file mode 100644 index 08d01270..00000000 --- a/check-superblock-mapped-prior-to-committing +++ /dev/null @@ -1,54 +0,0 @@ -ext4: check superblock mapped prior to committing - -From: Jon Derrick - -This patch attempts to close a hole leading to a BUG seen with hot -removals during writes [1]. - -A block device (NVME namespace in this test case) is formatted to EXT4 -without partitions. It's mounted and write I/O is run to a file, then -the device is hot removed from the slot. The superblock attempts to be -written to the drive which is no longer present. - -The typical chain of events leading to the BUG: -ext4_commit_super() - __sync_dirty_buffer() - submit_bh() - submit_bh_wbc() - BUG_ON(!buffer_mapped(bh)); - -This fix checks for the superblock's buffer head being mapped prior to -syncing. - -[1] https://www.spinics.net/lists/linux-ext4/msg56527.html - -Signed-off-by: Jon Derrick -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/super.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 0c4c220..ee33233 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -4736,6 +4736,14 @@ static int ext4_commit_super(struct super_block *sb, int sync) - - if (!sbh || block_device_ejected(sb)) - return error; -+ -+ /* -+ * The superblock bh should be mapped, but it might not be if the -+ * device was hot-removed. Not much we can do but fail the I/O. -+ */ -+ if (!buffer_mapped(sbh)) -+ return error; -+ - /* - * If the file system is mounted read-only, don't update the - * superblock write time. This avoids updating the superblock --- -2.7.4 - - diff --git a/check-that-metadata-blocks-dont-overlap-bg-descriptors b/check-that-metadata-blocks-dont-overlap-bg-descriptors deleted file mode 100644 index 0a351f2b..00000000 --- a/check-that-metadata-blocks-dont-overlap-bg-descriptors +++ /dev/null @@ -1,70 +0,0 @@ -ext4: make sure bitmaps and the inode table don't overlap with bg descriptors - -It's really bad when the allocation bitmaps and the inode table -overlap with the block group descriptors, since it causes random -corruption of the bg descriptors. So we really want to head those off -at the pass. - -https://bugzilla.kernel.org/show_bug.cgi?id=199865 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index c8b7b8302e90..c61675d62195 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -2348,6 +2348,7 @@ static int ext4_check_descriptors(struct super_block *sb, - struct ext4_sb_info *sbi = EXT4_SB(sb); - ext4_fsblk_t first_block = le32_to_cpu(sbi->s_es->s_first_data_block); - ext4_fsblk_t last_block; -+ ext4_fsblk_t last_bg_block = sb_block + ext4_bg_num_gdb(sb, 0) + 1; - ext4_fsblk_t block_bitmap; - ext4_fsblk_t inode_bitmap; - ext4_fsblk_t inode_table; -@@ -2380,6 +2381,14 @@ static int ext4_check_descriptors(struct super_block *sb, - if (!sb_rdonly(sb)) - return 0; - } -+ if (block_bitmap >= sb_block + 1 && -+ block_bitmap <= last_bg_block) { -+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " -+ "Block bitmap for group %u overlaps " -+ "block group descriptors", i); -+ if (!sb_rdonly(sb)) -+ return 0; -+ } - if (block_bitmap < first_block || block_bitmap > last_block) { - ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " - "Block bitmap for group %u not in group " -@@ -2394,6 +2403,14 @@ static int ext4_check_descriptors(struct super_block *sb, - if (!sb_rdonly(sb)) - return 0; - } -+ if (inode_bitmap >= sb_block + 1 && -+ inode_bitmap <= last_bg_block) { -+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " -+ "Inode bitmap for group %u overlaps " -+ "block group descriptors", i); -+ if (!sb_rdonly(sb)) -+ return 0; -+ } - if (inode_bitmap < first_block || inode_bitmap > last_block) { - ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " - "Inode bitmap for group %u not in group " -@@ -2408,6 +2425,14 @@ static int ext4_check_descriptors(struct super_block *sb, - if (!sb_rdonly(sb)) - return 0; - } -+ if (inode_table >= sb_block + 1 && -+ inode_table <= last_bg_block) { -+ ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " -+ "Inode table for group %u overlaps " -+ "block group descriptors", i); -+ if (!sb_rdonly(sb)) -+ return 0; -+ } - if (inode_table < first_block || - inode_table + sbi->s_itb_per_group - 1 > last_block) { - ext4_msg(sb, KERN_ERR, "ext4_check_descriptors: " diff --git a/clear-i_data-in-ext4_inode_info-when-destroying-inline-data b/clear-i_data-in-ext4_inode_info-when-destroying-inline-data deleted file mode 100644 index eccbf9ab..00000000 --- a/clear-i_data-in-ext4_inode_info-when-destroying-inline-data +++ /dev/null @@ -1,41 +0,0 @@ -ext4: clear i_data in ext4_inode_info when removing inline data - -When converting from an inode from storing the data in-line to a data -block, ext4_destroy_inline_data_nolock() was only clearing the on-disk -copy of the i_blocks[] array. It was not clearing copy of the -i_blocks[] in ext4_inode_info, in i_data[], which is the copy actually -used by ext4_map_blocks(). - -This didn't matter much if we are using extents, since the extents -header would be invalid and thus the extents could would re-initialize -the extents tree. But if we are using indirect blocks, the previous -contents of the i_blocks array will be treated as block numbers, with -potentially catastrophic results to the file system integrity and/or -user data. - -This gets worse if the file system is using a 1k block size and -s_first_data is zero, but even without this, the file system can get -quite badly corrupted. - -This addresses CVE-2018-10881. - -https://bugzilla.kernel.org/show_bug.cgi?id=200015 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/inline.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index 44b4fcdc3755..d79115d8d716 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -437,6 +437,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle, - - memset((void *)ext4_raw_inode(&is.iloc)->i_block, - 0, EXT4_MIN_INLINE_DATA_SIZE); -+ memset(ei->i_data, 0, EXT4_MIN_INLINE_DATA_SIZE); - - if (ext4_has_feature_extents(inode->i_sb)) { - if (S_ISDIR(inode->i_mode) || diff --git a/dont-mark-buffer-has-modified-if-the-handle-is-out-of-credits b/dont-mark-buffer-has-modified-if-the-handle-is-out-of-credits deleted file mode 100644 index dde0391d..00000000 --- a/dont-mark-buffer-has-modified-if-the-handle-is-out-of-credits +++ /dev/null @@ -1,51 +0,0 @@ -jbd2: don't mark block as modified if the handle is out of credits - -Do not set the b_modified flag in block's journal head should not -until after we're sure that jbd2_journal_dirty_metadat() will not -abort with an error due to there not being enough space reserved in -the jbd2 handle. - -Otherwise, future attempts to modify the buffer may lead a large -number of spurious errors and warnings. - -This addresses CVE-2018-10883. - -https://bugzilla.kernel.org/show_bug.cgi?id=200071 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/jbd2/transaction.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c -index 51dd68e67b0f..c0b66a7a795b 100644 ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1361,6 +1361,13 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) - if (jh->b_transaction == transaction && - jh->b_jlist != BJ_Metadata) { - jbd_lock_bh_state(bh); -+ if (jh->b_transaction == transaction && -+ jh->b_jlist != BJ_Metadata) -+ pr_err("JBD2: assertion failure: h_type=%u " -+ "h_line_no=%u block_no=%llu jlist=%u\n", -+ handle->h_type, handle->h_line_no, -+ (unsigned long long) bh->b_blocknr, -+ jh->b_jlist); - J_ASSERT_JH(jh, jh->b_transaction != transaction || - jh->b_jlist == BJ_Metadata); - jbd_unlock_bh_state(bh); -@@ -1380,11 +1387,11 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) - * of the transaction. This needs to be done - * once a transaction -bzzz - */ -- jh->b_modified = 1; - if (handle->h_buffer_credits <= 0) { - ret = -ENOSPC; - goto out_unlock_bh; - } -+ jh->b_modified = 1; - handle->h_buffer_credits--; - } - diff --git a/include-illegal-physical-block-in-bad-map-error-msg b/include-illegal-physical-block-in-bad-map-error-msg deleted file mode 100644 index 5e964f28..00000000 --- a/include-illegal-physical-block-in-bad-map-error-msg +++ /dev/null @@ -1,24 +0,0 @@ -ext4: include the illegal physical block in the bad map ext4_error msg - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/inode.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index 2ea07efbe016..c2f4ccb880c4 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -402,9 +402,9 @@ static int __check_block_validity(struct inode *inode, const char *func, - if (!ext4_data_block_valid(EXT4_SB(inode->i_sb), map->m_pblk, - map->m_len)) { - ext4_error_inode(inode, func, line, map->m_pblk, -- "lblock %lu mapped to illegal pblock " -+ "lblock %lu mapped to illegal pblock %llu " - "(length %d)", (unsigned long) map->m_lblk, -- map->m_len); -+ map->m_pblk, map->m_len); - return -EFSCORRUPTED; - } - return 0; diff --git a/jbd2-suppress-extra-newline-in-jbd2_debug b/jbd2-suppress-extra-newline-in-jbd2_debug deleted file mode 100644 index 602841ed..00000000 --- a/jbd2-suppress-extra-newline-in-jbd2_debug +++ /dev/null @@ -1,20 +0,0 @@ -jbd2: suppress extra newline in jbd2_debug - -Signed-off-by: Theodore Ts'o ---- - fs/jbd2/journal.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c -index 85d1483939b2..38ccd9070f72 100644 ---- a/fs/jbd2/journal.c -+++ b/fs/jbd2/journal.c -@@ -116,7 +116,7 @@ void __jbd2_debug(int level, const char *file, const char *func, - va_start(args, fmt); - vaf.fmt = fmt; - vaf.va = &args; -- printk(KERN_DEBUG "%s: (%s, %u): %pV\n", file, func, line, &vaf); -+ printk(KERN_DEBUG "%s: (%s, %u): %pV", file, func, line, &vaf); - va_end(args); - } - EXPORT_SYMBOL(__jbd2_debug); diff --git a/journal-superblock-changes b/journal-superblock-changes index 3660e9d4..140575ac 100644 --- a/journal-superblock-changes +++ b/journal-superblock-changes @@ -10,14 +10,14 @@ the ext4 superblock's checksum was not properly set. Signed-off-by: Theodore Ts'o --- - fs/ext4/super.c | 57 ++++++++++++++++++++++++++++++++++----------------------- - 1 file changed, 34 insertions(+), 23 deletions(-) + fs/ext4/super.c | 50 ++++++++++++++++++++++++++++---------------------- + 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index 7c46693a14d7..6783af7ec115 100644 +index 680526e9ee96..ae86983cbf60 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c -@@ -2108,9 +2108,10 @@ int ext4_seq_options_show(struct seq_file *seq, void *offset) +@@ -2148,9 +2148,10 @@ int ext4_seq_options_show(struct seq_file *seq, void *offset) } static int ext4_setup_super(struct super_block *sb, struct ext4_super_block *es, @@ -26,35 +26,35 @@ index 7c46693a14d7..6783af7ec115 100644 { struct ext4_sb_info *sbi = EXT4_SB(sb); + handle_t *handle; - int res = 0; + int err = 0; if (le32_to_cpu(es->s_rev_level) > EXT4_MAX_SUPP_REV) { -@@ -2118,7 +2119,7 @@ static int ext4_setup_super(struct super_block *sb, struct ext4_super_block *es, +@@ -2158,7 +2159,7 @@ static int ext4_setup_super(struct super_block *sb, struct ext4_super_block *es, "forcing read-only mode"); - res = SB_RDONLY; + err = -EROFS; } - if (read_only) -+ if (read_only || res) ++ if (read_only || err) goto done; if (!(sbi->s_mount_state & EXT4_VALID_FS)) ext4_msg(sb, KERN_WARNING, "warning: mounting unchecked fs, " -@@ -2139,6 +2140,15 @@ static int ext4_setup_super(struct super_block *sb, struct ext4_super_block *es, +@@ -2179,6 +2180,15 @@ static int ext4_setup_super(struct super_block *sb, struct ext4_super_block *es, ext4_msg(sb, KERN_WARNING, "warning: checktime reached, " "running e2fsck is recommended"); + handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1); + if (IS_ERR(handle)) + return PTR_ERR(handle); -+ res = ext4_journal_get_write_access(handle, EXT4_SB(sb)->s_sbh); -+ if (res) { ++ err = ext4_journal_get_write_access(handle, EXT4_SB(sb)->s_sbh); ++ if (err) { + stop_journal: + ext4_journal_stop(handle); -+ return res; ++ return err; + } if (!sbi->s_journal) es->s_state &= cpu_to_le16(~EXT4_VALID_FS); if (!(__s16) le16_to_cpu(es->s_max_mnt_count)) -@@ -2148,7 +2158,17 @@ static int ext4_setup_super(struct super_block *sb, struct ext4_super_block *es, +@@ -2188,7 +2198,17 @@ static int ext4_setup_super(struct super_block *sb, struct ext4_super_block *es, ext4_update_dynamic_rev(sb); if (sbi->s_journal) ext4_set_feature_journal_needs_recovery(sb); @@ -63,17 +63,17 @@ index 7c46693a14d7..6783af7ec115 100644 + es->s_journal_dev = cpu_to_le32(journal_devnum); + if (DUMMY_ENCRYPTION_ENABLED(sbi)) + ext4_set_feature_encrypt(sb); -+ res = ext4_handle_dirty_super(handle, sb); -+ if (res) ++ err = ext4_handle_dirty_super(handle, sb); ++ if (err) + goto stop_journal; -+ res = ext4_journal_stop(handle); -+ if (res) -+ return res; ++ err = ext4_journal_stop(handle); ++ if (err) ++ return err; + ext4_journal_force_commit(sbi->s_journal); - ext4_commit_super(sb, 1); + err = ext4_commit_super(sb, 1); done: if (test_opt(sb, DEBUG)) -@@ -4116,8 +4136,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) +@@ -4229,8 +4249,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) set_task_ioprio(sbi->s_journal->j_task, journal_ioprio); @@ -82,7 +82,7 @@ index 7c46693a14d7..6783af7ec115 100644 no_journal: if (!test_opt(sb, NO_MBCACHE)) { sbi->s_ea_block_cache = ext4_xattr_create_cache(); -@@ -4144,12 +4162,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) +@@ -4257,12 +4275,6 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) goto failed_mount_wq; } @@ -95,19 +95,16 @@ index 7c46693a14d7..6783af7ec115 100644 /* * Get the # of file system overhead blocks from the * superblock if present. -@@ -4198,7 +4210,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) +@@ -4311,7 +4323,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) goto failed_mount4; } -- if (ext4_setup_super(sb, es, sb_rdonly(sb))) -+ err = ext4_setup_super(sb, es, journal_devnum, sb_rdonly(sb)); -+ if (err < 0) -+ goto failed_mount4a; -+ if (err) +- ret = ext4_setup_super(sb, es, sb_rdonly(sb)); ++ ret = ext4_setup_super(sb, es, journal_devnum, sb_rdonly(sb)); + if (ret == -EROFS) { sb->s_flags |= SB_RDONLY; - - /* determine the minimum size of new large inodes, if present */ -@@ -4293,6 +4308,9 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) + ret = 0; +@@ -4410,6 +4422,9 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) } #endif /* CONFIG_QUOTA */ @@ -117,7 +114,7 @@ index 7c46693a14d7..6783af7ec115 100644 EXT4_SB(sb)->s_mount_state |= EXT4_ORPHAN_FS; ext4_orphan_cleanup(sb, es); EXT4_SB(sb)->s_mount_state &= ~EXT4_ORPHAN_FS; -@@ -4663,15 +4681,6 @@ static int ext4_load_journal(struct super_block *sb, +@@ -4780,15 +4795,6 @@ static int ext4_load_journal(struct super_block *sb, EXT4_SB(sb)->s_journal = journal; ext4_clear_journal_err(sb, es); @@ -133,16 +130,12 @@ index 7c46693a14d7..6783af7ec115 100644 return 0; } -@@ -5139,8 +5148,10 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data) - if (sbi->s_journal) +@@ -5263,7 +5269,7 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data) ext4_clear_journal_err(sb, es); sbi->s_mount_state = le16_to_cpu(es->s_state); -- if (!ext4_setup_super(sb, es, 0)) -- sb->s_flags &= ~SB_RDONLY; -+ sb->s_flags &= ~SB_RDONLY; + +- err = ext4_setup_super(sb, es, 0); + err = ext4_setup_super(sb, es, 0, 0); -+ if (err) -+ goto restore_opts; - if (ext4_has_feature_mmp(sb)) - if (ext4_multi_mount_protect(sb, - le64_to_cpu(es->s_mmp_block))) { + if (err) + goto restore_opts; + diff --git a/never-move-system.data-out-of-the-inode-body b/never-move-system.data-out-of-the-inode-body deleted file mode 100644 index 87ca4692..00000000 --- a/never-move-system.data-out-of-the-inode-body +++ /dev/null @@ -1,30 +0,0 @@ -ext4: never move the system.data xattr out of the inode body - -When expanding the extra isize space, we must never move the -system.data xattr out of the inode body. For performance reasons, it -doesn't make any sense, and the inline data implementation assumes -that system.data xattr is never in the external xattr block. - -This addresses CVE-2018-10880 - -https://bugzilla.kernel.org/show_bug.cgi?id=200005 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- -diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c -index 0263692979ec..72377b77fbd7 100644 ---- a/fs/ext4/xattr.c -+++ b/fs/ext4/xattr.c -@@ -2657,6 +2657,11 @@ static int ext4_xattr_make_inode_space(handle_t *handle, struct inode *inode, - last = IFIRST(header); - /* Find the entry best suited to be pushed into EA block */ - for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { -+ /* never move system.data out of the inode */ -+ if ((last->e_name_len == 4) && -+ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && -+ !memcmp(last->e_name, "data", 4)) -+ continue; - total_size = EXT4_XATTR_LEN(last->e_name_len); - if (!last->e_value_inum) - total_size += EXT4_XATTR_SIZE( diff --git a/only-look-at-bg_flags-if-valid b/only-look-at-bg_flags-if-valid deleted file mode 100644 index 27351c5e..00000000 --- a/only-look-at-bg_flags-if-valid +++ /dev/null @@ -1,130 +0,0 @@ -ext4: only look at the bg_flags field if it is valid - -The bg_flags field in the block group descripts is only valid if the -uninit_bg or metadata_csum feature is enabled. We were not -consistently looking at this field; fix this. - -Also block group #0 must never have uninitialized allocation bitmaps, -or need to be zeroed, since that's where the root inode, and other -special inodes are set up. Check for these conditions and mark the -file system as corrupted if they are detected. - -This addresses CVE-2018-10876. - -https://bugzilla.kernel.org/show_bug.cgi?id=199403 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- - fs/ext4/balloc.c | 11 ++++++++++- - fs/ext4/ialloc.c | 14 ++++++++++++-- - fs/ext4/mballoc.c | 6 ++++-- - fs/ext4/super.c | 11 ++++++++++- - 4 files changed, 36 insertions(+), 6 deletions(-) - -diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c -index 8a2e202ade8a..e68cefe08261 100644 ---- a/fs/ext4/balloc.c -+++ b/fs/ext4/balloc.c -@@ -438,7 +438,16 @@ ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group) - goto verify; - } - ext4_lock_group(sb, block_group); -- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { -+ if (block_group == 0) { -+ ext4_unlock_group(sb, block_group); -+ unlock_buffer(bh); -+ ext4_error(sb, "Block bitmap for bg 0 marked " -+ "uninitialized"); -+ err = -EFSCORRUPTED; -+ goto out; -+ } - err = ext4_init_block_bitmap(sb, bh, block_group, desc); - set_bitmap_uptodate(bh); - set_buffer_uptodate(bh); -diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c -index 4d6e007f3569..da6c10c1e37a 100644 ---- a/fs/ext4/ialloc.c -+++ b/fs/ext4/ialloc.c -@@ -150,7 +150,16 @@ ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group) - } - - ext4_lock_group(sb, block_group); -- if (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (desc->bg_flags & cpu_to_le16(EXT4_BG_INODE_UNINIT))) { -+ if (block_group == 0) { -+ ext4_unlock_group(sb, block_group); -+ unlock_buffer(bh); -+ ext4_error(sb, "Inode bitmap for bg 0 marked " -+ "uninitialized"); -+ err = -EFSCORRUPTED; -+ goto out; -+ } - memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); - ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), - sb->s_blocksize * 8, bh->b_data); -@@ -994,7 +1003,8 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir, - - /* recheck and clear flag under lock if we still need to */ - ext4_lock_group(sb, group); -- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { - gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); - ext4_free_group_clusters_set(sb, gdp, - ext4_free_clusters_after_init(sb, group, gdp)); -diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c -index 243c42fdc155..402c769c51ea 100644 ---- a/fs/ext4/mballoc.c -+++ b/fs/ext4/mballoc.c -@@ -2444,7 +2444,8 @@ int ext4_mb_add_groupinfo(struct super_block *sb, ext4_group_t group, - * initialize bb_free to be able to skip - * empty groups without initialization - */ -- if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { - meta_group_info[i]->bb_free = - ext4_free_clusters_after_init(sb, group, desc); - } else { -@@ -3010,7 +3011,8 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, - #endif - ext4_set_bits(bitmap_bh->b_data, ac->ac_b_ex.fe_start, - ac->ac_b_ex.fe_len); -- if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { -+ if (ext4_has_group_desc_csum(sb) && -+ (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT))) { - gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); - ext4_free_group_clusters_set(sb, gdp, - ext4_free_clusters_after_init(sb, -diff --git a/fs/ext4/super.c b/fs/ext4/super.c -index c61675d62195..4d34430d75f6 100644 ---- a/fs/ext4/super.c -+++ b/fs/ext4/super.c -@@ -3139,13 +3139,22 @@ static ext4_group_t ext4_has_uninit_itable(struct super_block *sb) - ext4_group_t group, ngroups = EXT4_SB(sb)->s_groups_count; - struct ext4_group_desc *gdp = NULL; - -+ if (!ext4_has_group_desc_csum(sb)) -+ return ngroups; -+ - for (group = 0; group < ngroups; group++) { - gdp = ext4_get_group_desc(sb, group, NULL); - if (!gdp) - continue; - -- if (!(gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED))) -+ if (gdp->bg_flags & cpu_to_le16(EXT4_BG_INODE_ZEROED)) -+ continue; -+ if (group != 0) - break; -+ ext4_error(sb, "Inode table for bg 0 marked as " -+ "needing zeroing"); -+ if (sb_rdonly(sb)) -+ return ngroups; - } - - return group; diff --git a/series b/series index e4ed1adf..aeb488a8 100644 --- a/series +++ b/series @@ -1,20 +1,5 @@ -# 4f2f76f75143 +# v4.18-rc4 -add-warn-on-error-mount-option -add-corruption-check-in-ext4_xattr_set_entry -always-verify-magic-number-in-xattr-blocks -always-check-bg-bounds-in-ext4_init_block_bitmap -check-that-metadata-blocks-dont-overlap-bg-descriptors -only-look-at-bg_flags-if-valid -verify-depth-in-ext4_find_extent -include-illegal-physical-block-in-bad-map-error-msg -clear-i_data-in-ext4_inode_info-when-destroying-inline-data -never-move-system.data-out-of-the-inode-body -dont-mark-buffer-has-modified-if-the-handle-is-out-of-credits -avoid-running-out-journal-credits-when-appending-to-an-inline-file -add-more-inode-number-paranoia-checks -add-more-mount-time-superblock-checking -check-superblock-mapped-prior-to-committing fix-ext4_check_descriptors clean-mmp-status-on-remount-ro @@ -26,7 +11,6 @@ stable-boundary stable-boundary-undo.patch # Lazy journalling patches -jbd2-suppress-extra-newline-in-jbd2_debug jbd2-dont-double-bump-transaction-number journal-superblock-changes add-journal-no-cleanup-option diff --git a/timestamps b/timestamps index 85a65b61..7b631e2b 100755 --- a/timestamps +++ b/timestamps @@ -22,38 +22,22 @@ touch -d @1493511621 old-patches touch -d @1496678952 add-reg_convert_inline_data_nolock touch -d @1496698150 fix-up-ext4_try_to_write_inline_data touch -d @1519010827 do-not-update-superblock-after-shutdown -touch -d @1522639383 stable-boundary-undo.patch -touch -d @1522639443 jbd2-suppress-extra-newline-in-jbd2_debug -touch -d @1522639503 jbd2-dont-double-bump-transaction-number -touch -d @1522639563 journal-superblock-changes -touch -d @1522639623 add-journal-no-cleanup-option -touch -d @1523242005 add-support-for-log-metadata-block-tracking-in-log -touch -d @1523242044 add-indirection-to-metadata-block-read-paths -touch -d @1523242121 cleaner -touch -d @1523242124 disable-writeback -touch -d @1523242124 load-jmap-from-journal -touch -d @1523242125 add-ext4-journal-lazy-mount-option -touch -d @1528860897 add-warn-on-error-mount-option -touch -d @1528863791 add-corruption-check-in-ext4_xattr_set_entry -touch -d @1528865488 always-verify-magic-number-in-xattr-blocks -touch -d @1528945248 always-check-bg-bounds-in-ext4_init_block_bitmap -touch -d @1528945706 check-that-metadata-blocks-dont-overlap-bg-descriptors -touch -d @1528952280 only-look-at-bg_flags-if-valid -touch -d @1528995310 verify-depth-in-ext4_find_extent -touch -d @1529080036 include-illegal-physical-block-in-bad-map-error-msg -touch -d @1529080096 clear-i_data-in-ext4_inode_info-when-destroying-inline-data -touch -d @1529178048 never-move-system.data-out-of-the-inode-body -touch -d @1529194905 dont-mark-buffer-has-modified-if-the-handle-is-out-of-credits -touch -d @1529206919 avoid-running-out-journal-credits-when-appending-to-an-inline-file -touch -d @1529210474 add-more-inode-number-paranoia-checks -touch -d @1529210534 stable-boundary -touch -d @1529273480 add-more-mount-time-superblock-checking touch -d @1530569804 handle-layout-changes-to-pinned-DAX-mappings.mbox touch -d @1530569831 dax_layout_busy_warn_on_not_exceptional touch -d @1530569881 handle-layout-changes-to-pinned-DAX-mappings -touch -d @1530571518 check-superblock-mapped-prior-to-committing -touch -d @1530677152 series -touch -d @1531024315 clean-mmp-status-on-remount-ro -touch -d @1531025544 fix-ext4_check_descriptors -touch -d @1531098766 status -touch -d @1531099021 timestamps +touch -d @1531092902 fix-ext4_check_descriptors +touch -d @1531092962 clean-mmp-status-on-remount-ro +touch -d @1531093022 stable-boundary +touch -d @1531093082 stable-boundary-undo.patch +touch -d @1531093142 jbd2-dont-double-bump-transaction-number +touch -d @1531109369 series +touch -d @1531110003 journal-superblock-changes +touch -d @1531110096 add-journal-no-cleanup-option +touch -d @1531110156 add-support-for-log-metadata-block-tracking-in-log +touch -d @1531110216 add-indirection-to-metadata-block-read-paths +touch -d @1531110276 cleaner +touch -d @1531110336 load-jmap-from-journal +touch -d @1531110396 disable-writeback +touch -d @1531115020 add-ext4-journal-lazy-mount-option +touch -d @1531115097 status +touch -d @1531115106 timestamps diff --git a/verify-depth-in-ext4_find_extent b/verify-depth-in-ext4_find_extent deleted file mode 100644 index c43a32c2..00000000 --- a/verify-depth-in-ext4_find_extent +++ /dev/null @@ -1,42 +0,0 @@ -ext4: verify the depth of extent tree in ext4_find_extent() - -If there is a corupted file system where the claimed depth of the -extent tree is -1, this can cause a massive buffer overrun leading to -sadness. - -This addresses CVE-2018-10877. - -https://bugzilla.kernel.org/show_bug.cgi?id=199417 - -Signed-off-by: Theodore Ts'o -Cc: stable@kernel.org ---- -diff --git a/fs/ext4/ext4_extents.h b/fs/ext4/ext4_extents.h -index 98fb0c119c68..adf6668b596f 100644 ---- a/fs/ext4/ext4_extents.h -+++ b/fs/ext4/ext4_extents.h -@@ -91,6 +91,7 @@ struct ext4_extent_header { - }; - - #define EXT4_EXT_MAGIC cpu_to_le16(0xf30a) -+#define EXT4_MAX_EXTENT_DEPTH 5 - - #define EXT4_EXTENT_TAIL_OFFSET(hdr) \ - (sizeof(struct ext4_extent_header) + \ -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c -index c969275ce3ee..08226f72b7ee 100644 ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -869,6 +869,12 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, - - eh = ext_inode_hdr(inode); - depth = ext_depth(inode); -+ if (depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) { -+ EXT4_ERROR_INODE(inode, "inode has invalid extent depth: %d", -+ depth); -+ ret = -EFSCORRUPTED; -+ goto err; -+ } - - if (path) { - ext4_ext_drop_refs(path); -- 2.11.4.GIT