1 files changed, 65 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-10883-jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch b/patches/cve/CVE-2018-10883-jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch
new file mode 100644
index 0000000..d69548e
--- /dev/null
+++ b/patches/cve/CVE-2018-10883-jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch
@@ -0,0 +1,65 @@
+From 0321e68838d7ba2528b367b879b2fcf9d96a2099 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Sat, 16 Jun 2018 20:21:45 -0400
+Subject: [PATCH] jbd2: don't mark block as modified if the handle is out of
+ credits
+commit e09463f220ca9a1a1ecfda84fcda658f99a1f12a upstream.
+Do not set the b_modified flag in block's journal head should not
+until after we're sure that jbd2_journal_dirty_metadat() will not
+abort with an error due to there not being enough space reserved in
+the jbd2 handle.
+Otherwise, future attempts to modify the buffer may lead a large
+number of spurious errors and warnings.
+This addresses CVE-2018-10883.
+https://bugzilla.kernel.org/show_bug.cgi?id=200071
+CVE: CVE-2018-10883
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=0321e68838d7ba2528b367b879b2fcf9d96a2099]
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/jbd2/transaction.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index 07793e25c976..e42736c1fdc8 100644
+--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
+@@ -1366,6 +1366,13 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh)
+                if (jh->b_transaction == transaction &&
+                    jh->b_jlist != BJ_Metadata) {
+                        jbd_lock_bh_state(bh);
+                       if (jh->b_transaction == transaction &&
+                           jh->b_jlist != BJ_Metadata)
+                               pr_err("JBD2: assertion failure: h_type=%u "
+                                      "h_line_no=%u block_no=%llu jlist=%u\n",
+                                      handle->h_type, handle->h_line_no,
+                                      (unsigned long long) bh->b_blocknr,
+                                      jh->b_jlist);
+                        J_ASSERT_JH(jh, jh->b_transaction != transaction ||
+                                        jh->b_jlist == BJ_Metadata);
+                        jbd_unlock_bh_state(bh);
+@@ -1385,11 +1392,11 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh)
+                 * of the transaction. This needs to be done
+                 * once a transaction -bzzz
+                 */
+-               jh->b_modified = 1;
+                if (handle->h_buffer_credits <= 0) {
+                        ret = -ENOSPC;
+                        goto out_unlock_bh;
+                }
+               jh->b_modified = 1;
+                handle->h_buffer_credits--;
+        }
+ 
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-10883-jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch b/patches/cve/CVE-2018-10883-jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch new file mode 100644 index 0000000..d69548e --- /dev/null +++ b/patches/cve/CVE-2018-10883-jbd2-don-t-mark-block-as-modified-if-the-handle-is-o.patch
@@ -0,0 +1,65 @@
	1	From 0321e68838d7ba2528b367b879b2fcf9d96a2099 Mon Sep 17 00:00:00 2001
	2	From: Theodore Ts'o <tytso@mit.edu>
	3	Date: Sat, 16 Jun 2018 20:21:45 -0400
	4	Subject: [PATCH] jbd2: don't mark block as modified if the handle is out of
	5	credits
	6
	7	commit e09463f220ca9a1a1ecfda84fcda658f99a1f12a upstream.
	8
	9	Do not set the b_modified flag in block's journal head should not
	10	until after we're sure that jbd2_journal_dirty_metadat() will not
	11	abort with an error due to there not being enough space reserved in
	12	the jbd2 handle.
	13
	14	Otherwise, future attempts to modify the buffer may lead a large
	15	number of spurious errors and warnings.
	16
	17	This addresses CVE-2018-10883.
	18
	19	https://bugzilla.kernel.org/show_bug.cgi?id=200071
	20
	21	CVE: CVE-2018-10883
	22	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=0321e68838d7ba2528b367b879b2fcf9d96a2099]
	23
	24	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
	25	Cc: stable@kernel.org
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	28	---
	29	fs/jbd2/transaction.c \| 9 ++++++++-
	30	1 file changed, 8 insertions(+), 1 deletion(-)
	31
	32	diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
	33	index 07793e25c976..e42736c1fdc8 100644
	34	--- a/fs/jbd2/transaction.c
	35	+++ b/fs/jbd2/transaction.c
	36	@@ -1366,6 +1366,13 @@ int jbd2_journal_dirty_metadata(handle_t handle, struct buffer_head bh)
	37	if (jh->b_transaction == transaction &&
	38	jh->b_jlist != BJ_Metadata) {
	39	jbd_lock_bh_state(bh);
	40	+ if (jh->b_transaction == transaction &&
	41	+ jh->b_jlist != BJ_Metadata)
	42	+ pr_err("JBD2: assertion failure: h_type=%u "
	43	+ "h_line_no=%u block_no=%llu jlist=%u\n",
	44	+ handle->h_type, handle->h_line_no,
	45	+ (unsigned long long) bh->b_blocknr,
	46	+ jh->b_jlist);
	47	J_ASSERT_JH(jh, jh->b_transaction != transaction \|\|
	48	jh->b_jlist == BJ_Metadata);
	49	jbd_unlock_bh_state(bh);
	50	@@ -1385,11 +1392,11 @@ int jbd2_journal_dirty_metadata(handle_t handle, struct buffer_head bh)
	51	* of the transaction. This needs to be done
	52	* once a transaction -bzzz
	53	*/
	54	- jh->b_modified = 1;
	55	if (handle->h_buffer_credits <= 0) {
	56	ret = -ENOSPC;
	57	goto out_unlock_bh;
	58	}
	59	+ jh->b_modified = 1;
	60	handle->h_buffer_credits--;
	61	}
	62
	63	--
	64	2.20.1
	65