releases/3.16.61/ext4-bubble-errors-from-ext4_find_inline_data_nolock-up-to.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Theodore Ts'o <tytso@mit.edu>
 Date: Tue, 22 May 2018 17:14:07 -0400
 Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to
  ext4_iget()

 commit eb9b5f01c33adebc31cbc236c02695f605b0e417 upstream.

 If ext4_find_inline_data_nolock() returns an error it needs to get
 reflected up to ext4_iget().  In order to fix this,
 ext4_iget_extra_inode() needs to return an error (and not return
 void).

 This is related to "ext4: do not allow external inodes for inline
 data" (which fixes CVE-2018-11412) in that in the errors=continue
 case, it would be useful to for userspace to receive an error
 indicating that file system is corrupted.

 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
 Reviewed-by: Andreas Dilger <adilger@dilger.ca>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  fs/ext4/inode.c | 10 +++++++---
  1 file changed, 7 insertions(+), 3 deletions(-)

 --- a/fs/ext4/inode.c
 +++ b/fs/ext4/inode.c
 @@ -4159,19 +4159,21 @@ static blkcnt_t ext4_inode_blocks(struct
  	}
  }

 -static inline void ext4_iget_extra_inode(struct inode *inode,
 +static inline int ext4_iget_extra_inode(struct inode *inode,
  					 struct ext4_inode *raw_inode,
  					 struct ext4_inode_info *ei)
  {
  	__le32 *magic = (void *)raw_inode +
  			EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
 +
  	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
  	    EXT4_INODE_SIZE(inode->i_sb) &&
  	    *magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
  		ext4_set_inode_state(inode, EXT4_STATE_XATTR);
 -		ext4_find_inline_data_nolock(inode);
 +		return ext4_find_inline_data_nolock(inode);
  	} else
  		EXT4_I(inode)->i_inline_off = 0;
 +	return 0;
  }

  struct inode *ext4_iget(struct super_block *sb, unsigned long ino)
 @@ -4331,7 +4333,9 @@ struct inode *ext4_iget(struct super_blo
  			ei->i_extra_isize = sizeof(struct ext4_inode) -
  					    EXT4_GOOD_OLD_INODE_SIZE;
  		} else {
 -			ext4_iget_extra_inode(inode, raw_inode, ei);
 +			ret = ext4_iget_extra_inode(inode, raw_inode, ei);
 +			if (ret)
 +				goto bad_inode;
  		}
  	}
	From: Theodore Ts'o <tytso@mit.edu>
	Date: Tue, 22 May 2018 17:14:07 -0400
	Subject: ext4: bubble errors from ext4_find_inline_data_nolock() up to
	ext4_iget()

	commit eb9b5f01c33adebc31cbc236c02695f605b0e417 upstream.

	If ext4_find_inline_data_nolock() returns an error it needs to get
	reflected up to ext4_iget(). In order to fix this,
	ext4_iget_extra_inode() needs to return an error (and not return
	void).

	This is related to "ext4: do not allow external inodes for inline
	data" (which fixes CVE-2018-11412) in that in the errors=continue
	case, it would be useful to for userspace to receive an error
	indicating that file system is corrupted.

	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	Reviewed-by: Andreas Dilger <adilger@dilger.ca>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	fs/ext4/inode.c \| 10 +++++++---
	1 file changed, 7 insertions(+), 3 deletions(-)

	--- a/fs/ext4/inode.c
	+++ b/fs/ext4/inode.c
	@@ -4159,19 +4159,21 @@ static blkcnt_t ext4_inode_blocks(struct
	}
	}

	-static inline void ext4_iget_extra_inode(struct inode *inode,
	+static inline int ext4_iget_extra_inode(struct inode *inode,
	struct ext4_inode *raw_inode,
	struct ext4_inode_info *ei)
	{
	__le32 magic = (void )raw_inode +
	EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize;
	+
	if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize + sizeof(__le32) <=
	EXT4_INODE_SIZE(inode->i_sb) &&
	*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
	ext4_set_inode_state(inode, EXT4_STATE_XATTR);
	- ext4_find_inline_data_nolock(inode);
	+ return ext4_find_inline_data_nolock(inode);
	} else
	EXT4_I(inode)->i_inline_off = 0;
	+ return 0;
	}

	struct inode ext4_iget(struct super_block sb, unsigned long ino)
	@@ -4331,7 +4333,9 @@ struct inode *ext4_iget(struct super_blo
	ei->i_extra_isize = sizeof(struct ext4_inode) -
	EXT4_GOOD_OLD_INODE_SIZE;
	} else {
	- ext4_iget_extra_inode(inode, raw_inode, ei);
	+ ret = ext4_iget_extra_inode(inode, raw_inode, ei);
	+ if (ret)
	+ goto bad_inode;
	}
	}