diff options
| author | Jan Kara <jack@suse.cz> | 2014-02-18 06:00:21 -0500 |
|---|---|---|
| committer | Jan Kara <jack@suse.cz> | 2014-02-20 15:56:00 -0500 |
| commit | 09ebb17ab476b6ac1cc07b53d07e88f4d31ee4d3 (patch) | |
| tree | 609dcf7d4bb825ea1978913c29bff3687a1247ac /fs/udf/file.c | |
| parent | 45a22f4c11fef4ecd5c61c0a299cd3f23d77be8e (diff) | |
udf: Fix data corruption on file type conversion
UDF has two types of files - files with data stored in inode (ICB in
UDF terminology) and files with data stored in external data blocks. We
convert file from in-inode format to external format in
udf_file_aio_write() when we find out data won't fit into inode any
longer. However the following race between two O_APPEND writes can happen:
CPU1 CPU2
udf_file_aio_write() udf_file_aio_write()
down_write(&iinfo->i_data_sem);
checks that i_size + count1 fits within inode
=> no need to convert
up_write(&iinfo->i_data_sem);
down_write(&iinfo->i_data_sem);
checks that i_size + count2 fits
within inode => no need to convert
up_write(&iinfo->i_data_sem);
generic_file_aio_write()
- extends file by count1 bytes
generic_file_aio_write()
- extends file by count2 bytes
Clearly if count1 + count2 doesn't fit into the inode, we overwrite
kernel buffers beyond inode, possibly corrupting the filesystem as well.
Fix the problem by acquiring i_mutex before checking whether write fits
into the inode and using __generic_file_aio_write() afterwards which
puts check and write into one critical section.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/udf/file.c')
| -rw-r--r-- | fs/udf/file.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/fs/udf/file.c b/fs/udf/file.c index c02a27a19c6d..1037637957c7 100644 --- a/fs/udf/file.c +++ b/fs/udf/file.c | |||
| @@ -144,6 +144,7 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov, | |||
| 144 | size_t count = iocb->ki_nbytes; | 144 | size_t count = iocb->ki_nbytes; |
| 145 | struct udf_inode_info *iinfo = UDF_I(inode); | 145 | struct udf_inode_info *iinfo = UDF_I(inode); |
| 146 | 146 | ||
| 147 | mutex_lock(&inode->i_mutex); | ||
| 147 | down_write(&iinfo->i_data_sem); | 148 | down_write(&iinfo->i_data_sem); |
| 148 | if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { | 149 | if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { |
| 149 | if (file->f_flags & O_APPEND) | 150 | if (file->f_flags & O_APPEND) |
| @@ -156,6 +157,7 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov, | |||
| 156 | pos + count)) { | 157 | pos + count)) { |
| 157 | err = udf_expand_file_adinicb(inode); | 158 | err = udf_expand_file_adinicb(inode); |
| 158 | if (err) { | 159 | if (err) { |
| 160 | mutex_unlock(&inode->i_mutex); | ||
| 159 | udf_debug("udf_expand_adinicb: err=%d\n", err); | 161 | udf_debug("udf_expand_adinicb: err=%d\n", err); |
| 160 | return err; | 162 | return err; |
| 161 | } | 163 | } |
| @@ -169,9 +171,17 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov, | |||
| 169 | } else | 171 | } else |
| 170 | up_write(&iinfo->i_data_sem); | 172 | up_write(&iinfo->i_data_sem); |
| 171 | 173 | ||
| 172 | retval = generic_file_aio_write(iocb, iov, nr_segs, ppos); | 174 | retval = __generic_file_aio_write(iocb, iov, nr_segs, &iocb->ki_pos); |
| 173 | if (retval > 0) | 175 | mutex_unlock(&inode->i_mutex); |
| 176 | |||
| 177 | if (retval > 0) { | ||
| 178 | ssize_t err; | ||
| 179 | |||
| 174 | mark_inode_dirty(inode); | 180 | mark_inode_dirty(inode); |
| 181 | err = generic_write_sync(file, iocb->ki_pos - retval, retval); | ||
| 182 | if (err < 0) | ||
| 183 | retval = err; | ||
| 184 | } | ||
| 175 | 185 | ||
| 176 | return retval; | 186 | return retval; |
| 177 | } | 187 | } |