[kernel] r22473 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at moszumanska.debian.org
Mon Apr 6 17:28:52 UTC 2015 

Author: benh
Date: Mon Apr  6 17:28:52 2015
New Revision: 22473

Log:
ext4: allocate entire range in zero range (CVE-2015-0275)

plus earlier fixes for this function that it depends on

Added:
   dists/sid/linux/debian/patches/bugfix/all/ext4-allocate-entire-range-in-zero-range.patch
   dists/sid/linux/debian/patches/bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch
   dists/sid/linux/debian/patches/bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Mon Apr  6 17:24:48 2015	(r22472)
+++ dists/sid/linux/debian/changelog	Mon Apr  6 17:28:52 2015	(r22473)
@@ -181,6 +181,9 @@
   * IB/core: Prevent integer overflow in ib_umem_get address arithmetic
     (CVE-2014-8159)
   * Btrfs: make xattr replace operations atomic (CVE-2014-9710)
+  * ext4: fix ZERO_RANGE bug hidden by flag aliasing
+  * ext4: fix accidental flag aliasing in ext4_map_blocks flags
+  * ext4: allocate entire range in zero range (CVE-2015-0275)
 
  -- Ian Campbell <ijc at debian.org>  Wed, 18 Mar 2015 21:07:15 +0000
 

Added: dists/sid/linux/debian/patches/bugfix/all/ext4-allocate-entire-range-in-zero-range.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/ext4-allocate-entire-range-in-zero-range.patch	Mon Apr  6 17:28:52 2015	(r22473)
@@ -0,0 +1,72 @@
+From: Lukas Czerner <lczerner at redhat.com>
+Date: Fri, 3 Apr 2015 00:09:13 -0400
+Subject: ext4: allocate entire range in zero range
+Origin: https://git.kernel.org/cgit/linux/kernel/git/tytso/ext4.git/commit/?id=0f2af21aae11972fa924374ddcf52e88347cf5a8
+
+Currently there is a bug in zero range code which causes zero range
+calls to only allocate block aligned portion of the range, while
+ignoring the rest in some cases.
+
+In some cases, namely if the end of the range is past i_size, we do
+attempt to preallocate the last nonaligned block. However this might
+cause kernel to BUG() in some carefully designed zero range requests
+on setups where page size > block size.
+
+Fix this problem by first preallocating the entire range, including
+the nonaligned edges and converting the written extents to unwritten
+in the next step. This approach will also give us the advantage of
+having the range to be as linearly contiguous as possible.
+
+Signed-off-by: Lukas Czerner <lczerner at redhat.com>
+Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+---
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4795,12 +4795,6 @@ static long ext4_zero_range(struct file
+ 	else
+ 		max_blocks -= lblk;
+ 
+-	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT |
+-		EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
+-		EXT4_EX_NOCACHE;
+-	if (mode & FALLOC_FL_KEEP_SIZE)
+-		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
+-
+ 	mutex_lock(&inode->i_mutex);
+ 
+ 	/*
+@@ -4817,15 +4811,28 @@ static long ext4_zero_range(struct file
+ 		ret = inode_newsize_ok(inode, new_size);
+ 		if (ret)
+ 			goto out_mutex;
+-		/*
+-		 * If we have a partial block after EOF we have to allocate
+-		 * the entire block.
+-		 */
+-		if (partial_end)
+-			max_blocks += 1;
+ 	}
+ 
++	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT;
++	if (mode & FALLOC_FL_KEEP_SIZE)
++		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
++
++	/* Preallocate the range including the unaligned edges */
++	if (partial_begin || partial_end) {
++		ret = ext4_alloc_file_blocks(file,
++				round_down(offset, 1 << blkbits) >> blkbits,
++				(round_up((offset + len), 1 << blkbits) -
++				 round_down(offset, 1 << blkbits)) >> blkbits,
++				new_size, flags, mode);
++		if (ret)
++			goto out_mutex;
++
++	}
++
++	/* Zero range excluding the unaligned edges */
+ 	if (max_blocks > 0) {
++		flags |= (EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
++			  EXT4_EX_NOCACHE);
+ 
+ 		/* Now release the pages and zero block aligned part of pages*/
+ 		truncate_pagecache_range(inode, start, end - 1);

Added: dists/sid/linux/debian/patches/bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch	Mon Apr  6 17:28:52 2015	(r22473)
@@ -0,0 +1,40 @@
+From: Theodore Ts'o <tytso at mit.edu>
+Date: Mon, 1 Sep 2014 14:33:09 -0400
+Subject: [2/2] ext4: fix accidental flag aliasing in ext4_map_blocks flags
+Origin: https://git.kernel.org/linus/bd30d702fc320085f178d22866b32fdc4736c991
+
+Commit b8a8684502a0f introduced an accidental flag aliasing between
+EXT4_EX_NOCACHE and EXT4_GET_BLOCKS_CONVERT_UNWRITTEN.
+
+Fortunately, this didn't introduce any untorward side effects --- we
+got lucky.  Nevertheless, fix this and leave a warning to hopefully
+avoid this from happening in the future.
+
+Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+---
+ fs/ext4/ext4.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index cf3ad75..550b4f9 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -569,6 +569,7 @@ enum {
+ #define EXT4_GET_BLOCKS_NO_PUT_HOLE		0x0200
+ 	/* Convert written extents to unwritten */
+ #define EXT4_GET_BLOCKS_CONVERT_UNWRITTEN	0x0400
++/* DO NOT ASSIGN ADDITIONAL FLAG VALUES WITHOUT ADJUSTING THE FLAGS BELOW */
+ 
+ /*
+  * The bit position of these flags must not overlap with any of the
+@@ -579,8 +580,8 @@ enum {
+  * caching the extents when reading from the extent tree while a
+  * truncate or punch hole operation is in progress.
+  */
+-#define EXT4_EX_NOCACHE				0x0400
+-#define EXT4_EX_FORCE_CACHE			0x0800
++#define EXT4_EX_NOCACHE				0x0800
++#define EXT4_EX_FORCE_CACHE			0x1000
+ 
+ /*
+  * Flags used by ext4_free_blocks

Added: dists/sid/linux/debian/patches/bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch	Mon Apr  6 17:28:52 2015	(r22473)
@@ -0,0 +1,66 @@
+From: Theodore Ts'o <tytso at mit.edu>
+Date: Mon, 1 Sep 2014 14:32:09 -0400
+Subject: [1/2] ext4: fix ZERO_RANGE bug hidden by flag aliasing
+Origin: https://git.kernel.org/linus/713e8dde3e71e92db2d8cc8459d236ce1fb576ce
+
+We accidently aliased EXT4_EX_NOCACHE and EXT4_GET_CONVERT_UNWRITTEN
+falgs, which apparently was hiding a bug that was unmasked when this
+flag aliasing issue was addressed (see the subsequent commit).  The
+reproduction case was:
+
+   fsx -N 10000 -l 500000 -r 4096 -t 4096 -w 4096 -Z -R -W /vdb/junk
+
+... which would cause fsx to report corruption in the data file.
+
+The fix we have is a bit of an overkill, but I'd much rather be
+conservative for now, and we can optimize ZERO_RANGE_FL handling
+later.  The fact that we need to zap the extent_status cache for the
+inode is unfortunate, but correctness is far more important than
+performance.
+
+Signed-off-by: Theodore Ts'o <tytso at mit.edu>
+Cc: Namjae Jeon <namjae.jeon at samsung.com>
+---
+ fs/ext4/extents.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -4796,7 +4796,8 @@ static long ext4_zero_range(struct file
+ 		max_blocks -= lblk;
+ 
+ 	flags = EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT |
+-		EXT4_GET_BLOCKS_CONVERT_UNWRITTEN;
++		EXT4_GET_BLOCKS_CONVERT_UNWRITTEN |
++		EXT4_EX_NOCACHE;
+ 	if (mode & FALLOC_FL_KEEP_SIZE)
+ 		flags |= EXT4_GET_BLOCKS_KEEP_SIZE;
+ 
+@@ -4834,15 +4835,21 @@ static long ext4_zero_range(struct file
+ 		ext4_inode_block_unlocked_dio(inode);
+ 		inode_dio_wait(inode);
+ 
++		ret = ext4_alloc_file_blocks(file, lblk, max_blocks, new_size,
++					     flags, mode);
++		if (ret)
++			goto out_dio;
+ 		/*
+ 		 * Remove entire range from the extent status tree.
++		 *
++		 * ext4_es_remove_extent(inode, lblk, max_blocks) is
++		 * NOT sufficient.  I'm not sure why this is the case,
++		 * but let's be conservative and remove the extent
++		 * status tree for the entire inode.  There should be
++		 * no outstanding delalloc extents thanks to the
++		 * filemap_write_and_wait_range() call above.
+ 		 */
+-		ret = ext4_es_remove_extent(inode, lblk, max_blocks);
+-		if (ret)
+-			goto out_dio;
+-
+-		ret = ext4_alloc_file_blocks(file, lblk, max_blocks, new_size,
+-					     flags, mode);
++		ret = ext4_es_remove_extent(inode, 0, EXT_MAX_BLOCKS);
+ 		if (ret)
+ 			goto out_dio;
+ 	}

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Mon Apr  6 17:24:48 2015	(r22472)
+++ dists/sid/linux/debian/patches/series	Mon Apr  6 17:28:52 2015	(r22473)
@@ -557,3 +557,6 @@
 
 bugfix/all/ib-core-prevent-integer-overflow-in-ib_umem_get.patch
 bugfix/all/btrfs-make-xattr-replace-operations-atomic.patch
+bugfix/all/ext4-fix-zero_range-bug-hidden-by-flag-aliasing.patch
+bugfix/all/ext4-fix-accidental-flag-aliasing-in-ext4_map_blocks.patch
+bugfix/all/ext4-allocate-entire-range-in-zero-range.patch

More information about the Kernel-svn-changes mailing list