ACK[T]: [SRU][T][PATCH 1/1] xfs: set format back to extents if xfs_bmap_extents_to_btree
Kleber Souza
kleber.souza at canonical.com
Thu Jul 26 16:16:09 UTC 2018
On 07/06/18 07:33, Khalid Elmously wrote:
> From: Eric Sandeen <sandeen at redhat.com>
>
> CVE-2018-10323
>
> If xfs_bmap_extents_to_btree fails in a mode where we call
> xfs_iroot_realloc(-1) to de-allocate the root, set the
> format back to extents.
>
> Otherwise we can assume we can dereference ifp->if_broot
> based on the XFS_DINODE_FMT_BTREE format, and crash.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199423
> Signed-off-by: Eric Sandeen <sandeen at redhat.com>
> Reviewed-by: Christoph Hellwig <hch at lst.de>
> Reviewed-by: Darrick J. Wong <darrick.wong at oracle.com>
> Signed-off-by: Darrick J. Wong <darrick.wong at oracle.com>
> (backported from 2c4306f719b083d17df2963bc761777576b8ad1b)
> Signed-off-by: Khalid Elmously <khalid.elmously at canonical.com>
> ---
> fs/xfs/xfs_bmap.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/xfs/xfs_bmap.c b/fs/xfs/xfs_bmap.c
> index 6beb7a93a0e9..41013924bdcd 100644
> --- a/fs/xfs/xfs_bmap.c
> +++ b/fs/xfs/xfs_bmap.c
> @@ -823,6 +823,8 @@ xfs_bmap_extents_to_btree(
> *logflagsp = 0;
> if ((error = xfs_alloc_vextent(&args))) {
> xfs_iroot_realloc(ip, -1, whichfork);
> + ASSERT(ifp->if_broot == NULL);
> + XFS_IFORK_FMT_SET(ip, whichfork, XFS_DINODE_FMT_EXTENTS);
> xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
> return error;
> }
>
The backport looks correct.
Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
More information about the kernel-team
mailing list