fix-xattr-shifting-when-expanding-inodes-2

   1 ext4: fix xattr shifting when expanding inodes part 2
   2
   3 From: Jan Kara <jack@suse.cz>
   4
   5 When multiple xattrs need to be moved out of inode, we did not properly
   6 recompute total size of xattr headers in the inode and the new header
   7 position. Thus when moving the second and further xattr we asked
   8 ext4_xattr_shift_entries() to move too much and from the wrong place,
   9 resulting in possible xattr value corruption or general memory
  10 corruption.
  11
  12 CC: stable@vger.kernel.org  # 4.4.x
  13 Signed-off-by: Jan Kara <jack@suse.cz>
  14 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  15 ---
  16  fs/ext4/xattr.c | 5 +++--
  17  1 file changed, 3 insertions(+), 2 deletions(-)
  18
  19 diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
  20 index cb1d7b4482de..b18b1ff7cc27 100644
  21 --- a/fs/ext4/xattr.c
  22 +++ b/fs/ext4/xattr.c
  23 @@ -1516,6 +1516,7 @@ retry:
  24                 error = ext4_xattr_ibody_set(handle, inode, &i, is);
  25                 if (error)
  26                         goto cleanup;
  27 +               total_ino -= entry_size;
  28
  29                 entry = IFIRST(header);
  30                 if (entry_size + EXT4_XATTR_SIZE(size) >= isize_diff)
  31 @@ -1526,11 +1527,11 @@ retry:
  32                 ext4_xattr_shift_entries(entry, -shift_bytes,
  33                         (void *)raw_inode + EXT4_GOOD_OLD_INODE_SIZE +
  34                         EXT4_I(inode)->i_extra_isize + shift_bytes,
  35 -                       (void *)header, total_ino - entry_size,
  36 -                       inode->i_sb->s_blocksize);
  37 +                       (void *)header, total_ino, inode->i_sb->s_blocksize);
  38
  39                 isize_diff -= shift_bytes;
  40                 EXT4_I(inode)->i_extra_isize += shift_bytes;
  41 +               header = IHDR(inode, raw_inode);
  42
  43                 i.name = b_entry_name;
  44                 i.value = buffer;
  45 --
  46 2.6.6
  47
  48