xfs: fix toctou race when locking an inode to access the data map

commit 4b5bd5bf3fb182dc504b1b64e0331300f156e756 upstream.

We use di_format and if_flags to decide whether we're grabbing the ilock
in btree mode (btree extents not loaded) or shared mode (anything else),
but the state of those fields can be changed by other threads that are
also trying to load the btree extents -- IFEXTENTS gets set before the
_bmap_read_extents call and cleared if it fails.

We don't actually need to have IFEXTENTS set until after the bmbt
records are successfully loaded and validated, which will fix the race
between multiple threads trying to read the same directory.  The next
patch strengthens directory bmbt validation by refusing to open the
directory if reading the bmbt to start directory readahead fails.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 1 insertions, 2 deletions

diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c
index 222e103356c6..421341f93bea 100644
--- a/fs/xfs/libxfs/xfs_inode_fork.c
+++ b/fs/xfs/libxfs/xfs_inode_fork.c
@@ -497,15 +497,14 @@ xfs_iread_extents(
          * We know that the size is valid (it's checked in iformat_btree)
          */
         ifp->if_bytes = ifp->if_real_bytes = 0;
-        ifp->if_flags |= XFS_IFEXTENTS;
         xfs_iext_add(ifp, 0, nextents);
         error = xfs_bmap_read_extents(tp, ip, whichfork);
         if (error) {
                 xfs_iext_destroy(ifp);
-                ifp->if_flags &= ~XFS_IFEXTENTS;
                 return error;
         }
         xfs_validate_extents(ifp, nextents, XFS_EXTFMT_INODE(ip));
+        ifp->if_flags |= XFS_IFEXTENTS;
         return 0;
 }
 /*