udf: Fix data corruption on file type conversion
UDF has two types of files - files with data stored in inode (ICB in UDF terminology) and files with data stored in external data blocks. We convert file from in-inode format to external format in udf_file_aio_write() when we find out data won't fit into inode any longer. However the following race between two O_APPEND writes can happen: CPU1 CPU2 udf_file_aio_write() udf_file_aio_write() down_write(&iinfo->i_data_sem); checks that i_size + count1 fits within inode => no need to convert up_write(&iinfo->i_data_sem); down_write(&iinfo->i_data_sem); checks that i_size + count2 fits within inode => no need to convert up_write(&iinfo->i_data_sem); generic_file_aio_write() - extends file by count1 bytes generic_file_aio_write() - extends file by count2 bytes Clearly if count1 + count2 doesn't fit into the inode, we overwrite kernel buffers beyond inode, possibly corrupting the filesystem as well. Fix the problem by acquiring i_mutex before checking whether write fits into the inode and using __generic_file_aio_write() afterwards which puts check and write into one critical section. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Jan Kara <jack@suse.cz>
This commit is contained in:
parent
45a22f4c11
commit
09ebb17ab4
|
@ -144,6 +144,7 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
|
|||
size_t count = iocb->ki_nbytes;
|
||||
struct udf_inode_info *iinfo = UDF_I(inode);
|
||||
|
||||
mutex_lock(&inode->i_mutex);
|
||||
down_write(&iinfo->i_data_sem);
|
||||
if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
|
||||
if (file->f_flags & O_APPEND)
|
||||
|
@ -156,6 +157,7 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
|
|||
pos + count)) {
|
||||
err = udf_expand_file_adinicb(inode);
|
||||
if (err) {
|
||||
mutex_unlock(&inode->i_mutex);
|
||||
udf_debug("udf_expand_adinicb: err=%d\n", err);
|
||||
return err;
|
||||
}
|
||||
|
@ -169,9 +171,17 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
|
|||
} else
|
||||
up_write(&iinfo->i_data_sem);
|
||||
|
||||
retval = generic_file_aio_write(iocb, iov, nr_segs, ppos);
|
||||
if (retval > 0)
|
||||
retval = __generic_file_aio_write(iocb, iov, nr_segs, &iocb->ki_pos);
|
||||
mutex_unlock(&inode->i_mutex);
|
||||
|
||||
if (retval > 0) {
|
||||
ssize_t err;
|
||||
|
||||
mark_inode_dirty(inode);
|
||||
err = generic_write_sync(file, iocb->ki_pos - retval, retval);
|
||||
if (err < 0)
|
||||
retval = err;
|
||||
}
|
||||
|
||||
return retval;
|
||||
}
|
||||
|
|
|
@ -265,6 +265,7 @@ int udf_expand_file_adinicb(struct inode *inode)
|
|||
.nr_to_write = 1,
|
||||
};
|
||||
|
||||
WARN_ON_ONCE(!mutex_is_locked(&inode->i_mutex));
|
||||
if (!iinfo->i_lenAlloc) {
|
||||
if (UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_USE_SHORT_AD))
|
||||
iinfo->i_alloc_type = ICBTAG_FLAG_AD_SHORT;
|
||||
|
|
Loading…
Reference in New Issue