From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com,
Jan Kara <jack@suse.cz>, Barret Rhoden <brho@google.com>,
Theodore Tso <tytso@mit.edu>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.4 15/76] ext4: fix use-after-free race with debug_want_extra_isize
Date: Wed, 22 Jan 2020 10:28:31 +0100 [thread overview]
Message-ID: <20200122092753.100629343@linuxfoundation.org> (raw)
In-Reply-To: <20200122092751.587775548@linuxfoundation.org>
From: Barret Rhoden <brho@google.com>
commit 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7 upstream.
When remounting with debug_want_extra_isize, we were not performing the
same checks that we do during a normal mount. That allowed us to set a
value for s_want_extra_isize that reached outside the s_inode_size.
Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate functions")
Reported-by: syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Barret Rhoden <brho@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 4.4: The debug_want_extra_isize mount option is not
supported]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 56 +++++++++++++++++++++++++++++++++-----------------------
1 file changed, 33 insertions(+), 23 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3169,6 +3169,36 @@ int ext4_calculate_overhead(struct super
return 0;
}
+static void ext4_clamp_want_extra_isize(struct super_block *sb)
+{
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct ext4_super_block *es = sbi->s_es;
+
+ /* determine the minimum size of new large inodes, if present */
+ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
+ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+ EXT4_GOOD_OLD_INODE_SIZE;
+ if (ext4_has_feature_extra_isize(sb)) {
+ if (sbi->s_want_extra_isize <
+ le16_to_cpu(es->s_want_extra_isize))
+ sbi->s_want_extra_isize =
+ le16_to_cpu(es->s_want_extra_isize);
+ if (sbi->s_want_extra_isize <
+ le16_to_cpu(es->s_min_extra_isize))
+ sbi->s_want_extra_isize =
+ le16_to_cpu(es->s_min_extra_isize);
+ }
+ }
+ /* Check if enough inode space is available */
+ if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+ sbi->s_inode_size) {
+ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+ EXT4_GOOD_OLD_INODE_SIZE;
+ ext4_msg(sb, KERN_INFO,
+ "required extra inode space not available");
+ }
+}
+
static void ext4_set_resv_clusters(struct super_block *sb)
{
ext4_fsblk_t resv_clusters;
@@ -3991,29 +4021,7 @@ no_journal:
if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY))
sb->s_flags |= MS_RDONLY;
- /* determine the minimum size of new large inodes, if present */
- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
- EXT4_GOOD_OLD_INODE_SIZE;
- if (ext4_has_feature_extra_isize(sb)) {
- if (sbi->s_want_extra_isize <
- le16_to_cpu(es->s_want_extra_isize))
- sbi->s_want_extra_isize =
- le16_to_cpu(es->s_want_extra_isize);
- if (sbi->s_want_extra_isize <
- le16_to_cpu(es->s_min_extra_isize))
- sbi->s_want_extra_isize =
- le16_to_cpu(es->s_min_extra_isize);
- }
- }
- /* Check if enough inode space is available */
- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
- sbi->s_inode_size) {
- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
- EXT4_GOOD_OLD_INODE_SIZE;
- ext4_msg(sb, KERN_INFO, "required extra inode space not"
- "available");
- }
+ ext4_clamp_want_extra_isize(sb);
ext4_set_resv_clusters(sb);
@@ -4766,6 +4774,8 @@ static int ext4_remount(struct super_blo
goto restore_opts;
}
+ ext4_clamp_want_extra_isize(sb);
+
if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^
test_opt(sb, JOURNAL_CHECKSUM)) {
ext4_msg(sb, KERN_ERR, "changing journal_checksum "
next prev parent reply other threads:[~2020-01-22 9:30 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 9:28 [PATCH 4.4 00/76] 4.4.211-stable review Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 01/76] hidraw: Return EPOLLOUT from hidraw_poll Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 02/76] HID: hidraw: Fix returning " Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 03/76] HID: hidraw, uhid: Always report EPOLLOUT Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 04/76] rsi: add fix for crash during assertions Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 05/76] cfg80211/mac80211: make ieee80211_send_layer2_update a public function Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 06/76] mac80211: Do not send Layer 2 Update frame before authorization Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 07/76] media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 08/76] p54usb: Fix race between disconnect and firmware loading Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 09/76] ALSA: line6: Fix write on zero-sized buffer Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 10/76] ALSA: line6: Fix memory leak at line6_init_pcm() error path Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 11/76] mm/page_alloc.c: calculate available memory in a separate function Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 12/76] xen: let alloc_xenballooned_pages() fail if not enough memory free Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 13/76] wimax: i2400: fix memory leak Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 14/76] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle Greg Kroah-Hartman
2020-01-22 9:28 ` Greg Kroah-Hartman [this message]
2020-01-22 9:28 ` [PATCH 4.4 16/76] ext4: add more paranoia checking in ext4_expand_extra_isize handling Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 17/76] dccp: Fix memleak in __feat_register_sp Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 18/76] rtc: mt6397: fix alarm register overwrite Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 19/76] iommu: Remove device link to group on failure Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 20/76] gpio: Fix error message on out-of-range GPIO in lookup table Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 21/76] hsr: reset network header when supervision frame is created Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 22/76] cifs: Adjust indentation in smb2_open_file Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 23/76] RDMA/srpt: Report the SCSI residual to the initiator Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 24/76] scsi: enclosure: Fix stale device oops with hot replug Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 25/76] scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 26/76] platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 27/76] iio: imu: adis16480: assign bias value only if operation succeeded Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 28/76] mei: fix modalias documentation Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 29/76] clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 30/76] compat_ioctl: handle SIOCOUTQNSD Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 31/76] tty: serial: imx: use the sg count from dma_map_sg Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 32/76] tty: serial: pch_uart: correct usage of dma_unmap_sg Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 33/76] media: exynos4-is: Fix recursive locking in isp_video_release() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 34/76] spi: atmel: fix handling of cs_change set on non-last xfer Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 35/76] rtlwifi: Remove unnecessary NULL check in rtl_regd_init Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 36/76] rtc: msm6242: Fix reading of 10-hour digit Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 37/76] rseq/selftests: Turn off timeout setting Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 38/76] hexagon: work around compiler crash Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 39/76] ocfs2: call journal flush to mark journal as empty after journal recovery when mount Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 40/76] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 41/76] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 42/76] block: fix an integer overflow in logical block size Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.4 43/76] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 44/76] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 45/76] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 46/76] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 47/76] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 48/76] USB: serial: quatech2: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 49/76] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 50/76] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 51/76] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 52/76] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 53/76] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 54/76] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 55/76] USB: serial: io_edgeport: use irqsave() in USBs complete callback Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 56/76] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 57/76] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 58/76] scsi: fnic: use kernels %pM format option to print MAC Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 59/76] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 60/76] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 61/76] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 62/76] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 63/76] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 64/76] r8152: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 65/76] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 66/76] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 67/76] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 68/76] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 69/76] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 70/76] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 71/76] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 72/76] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 73/76] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 74/76] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 75/76] perf probe: Fix wrong address verification Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.4 76/76] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
2020-01-22 14:57 ` [PATCH 4.4 00/76] 4.4.211-stable review Jon Hunter
2020-01-22 18:59 ` Guenter Roeck
2020-01-22 20:21 ` Naresh Kamboju
2020-01-22 20:52 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122092753.100629343@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=brho@google.com \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).