jbd2: don't mark block as modified if the handle is out of credits (e09463f2) · Commits · 戴 / test

Do not set the b_modified flag in block's journal head should not until after we're sure that jbd2_journal_dirty_metadat() will not abort with an error due to there not being enough space reserved in the jbd2 handle. Otherwise, future attempts to modify the buffer may lead a large number of spurious errors and warnings. This addresses CVE-2018-10883. https://bugzilla.kernel.org/show_bug.cgi?id=200071 Signed-off-by:

Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org

fs/jbd2/transaction.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -1361,6 +1361,13 @@ int jbd2_journal_dirty_metadata(handle_t handle, struct buffer_head bh)
		if (jh->b_transaction == transaction &&
		jh->b_jlist != BJ_Metadata) {
		jbd_lock_bh_state(bh);
		if (jh->b_transaction == transaction &&
		jh->b_jlist != BJ_Metadata)
		pr_err("JBD2: assertion failure: h_type=%u "
		"h_line_no=%u block_no=%llu jlist=%u\n",
		handle->h_type, handle->h_line_no,
		(unsigned long long) bh->b_blocknr,
		jh->b_jlist);
		J_ASSERT_JH(jh, jh->b_transaction != transaction \|\|
		jh->b_jlist == BJ_Metadata);
		jbd_unlock_bh_state(bh);
		@@ -1380,11 +1387,11 @@ int jbd2_journal_dirty_metadata(handle_t handle, struct buffer_head bh)
		* of the transaction. This needs to be done
		* once a transaction -bzzz
		*/
		jh->b_modified = 1;
		if (handle->h_buffer_credits <= 0) {
		ret = -ENOSPC;
		goto out_unlock_bh;
		}
		jh->b_modified = 1;
		handle->h_buffer_credits--;
		}

Admin message