Ack: Re: [CVE-2011-4086] jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Fri Apr 20 13:40:08 UTC 2012 

On Fri, Apr 20, 2012 at 12:47:16PM +0200, Stefan Bader wrote:
> local dos because of journal_unmap_buffer()
> 
> This is pending in Oneiric but can be cherry-picked all the way
> back into Hardy. Proposing for Hardy, Lucid, Natty, Natty/ti-omap4.
> 
> -Stefan
> 
> From 15291164b22a357cb211b618adfef4fa82fc0de3 Mon Sep 17 00:00:00 2001
> From: Eric Sandeen <sandeen at redhat.com>
> Date: Mon, 20 Feb 2012 17:53:01 -0500
> Subject: [PATCH] jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
> 
> journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
> state ala discard_buffer(), but does not touch _Delay or _Unwritten as
> discard_buffer() does.
> 
> This can be problematic in some areas of the ext4 code which assume
> that if they have found a buffer marked unwritten or delay, then it's
> a live one.  Perhaps those spots should check whether it is mapped
> as well, but if jbd2 is going to tear down a buffer, let's really
> tear it down completely.
> 
> Without this I get some fsx failures on sub-page-block filesystems
> up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
> and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
> away, because buried within that large change is some more flag
> clearing.  I still think it's worth doing in jbd2, since
> ->invalidatepage leads here directly, and it's the right place
> to clear away these flags.
> 
> Signed-off-by: Eric Sandeen <sandeen at redhat.com>
> Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
> Cc: stable at vger.kernel.org
> 
> BugLink: http://bugs.launchpad.net/bugs/929781
> CVE-2011-4086
> 
> (cherry-picked from 15291164b22a357cb211b618adfef4fa82fc0de3 upstream)
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
>  fs/jbd2/transaction.c |    2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
> index 35ae096..52653306 100644
> --- a/fs/jbd2/transaction.c
> +++ b/fs/jbd2/transaction.c
> @@ -1949,6 +1949,8 @@ zap_buffer_unlocked:
>  	clear_buffer_mapped(bh);
>  	clear_buffer_req(bh);
>  	clear_buffer_new(bh);
> +	clear_buffer_delay(bh);
> +	clear_buffer_unwritten(bh);
>  	bh->b_bdev = NULL;
>  	return may_free;
>  }
> -- 
> 1.7.9.5
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 

-- 
[]'s
Herton

More information about the kernel-team mailing list