summaryrefslogtreecommitdiff
path: root/fs/udf/inode.c
diff options
context:
space:
mode:
authorJan Kara <jack@suse.cz>2014-02-18 12:00:21 +0100
committerJan Kara <jack@suse.cz>2014-02-20 21:56:00 +0100
commit09ebb17ab476b6ac1cc07b53d07e88f4d31ee4d3 (patch)
tree609dcf7d4bb825ea1978913c29bff3687a1247ac /fs/udf/inode.c
parent45a22f4c11fef4ecd5c61c0a299cd3f23d77be8e (diff)
downloadlwn-09ebb17ab476b6ac1cc07b53d07e88f4d31ee4d3.tar.gz
lwn-09ebb17ab476b6ac1cc07b53d07e88f4d31ee4d3.zip
udf: Fix data corruption on file type conversion
UDF has two types of files - files with data stored in inode (ICB in UDF terminology) and files with data stored in external data blocks. We convert file from in-inode format to external format in udf_file_aio_write() when we find out data won't fit into inode any longer. However the following race between two O_APPEND writes can happen: CPU1 CPU2 udf_file_aio_write() udf_file_aio_write() down_write(&iinfo->i_data_sem); checks that i_size + count1 fits within inode => no need to convert up_write(&iinfo->i_data_sem); down_write(&iinfo->i_data_sem); checks that i_size + count2 fits within inode => no need to convert up_write(&iinfo->i_data_sem); generic_file_aio_write() - extends file by count1 bytes generic_file_aio_write() - extends file by count2 bytes Clearly if count1 + count2 doesn't fit into the inode, we overwrite kernel buffers beyond inode, possibly corrupting the filesystem as well. Fix the problem by acquiring i_mutex before checking whether write fits into the inode and using __generic_file_aio_write() afterwards which puts check and write into one critical section. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/udf/inode.c')
-rw-r--r--fs/udf/inode.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 062b7925bca0..982ce05c87ed 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -265,6 +265,7 @@ int udf_expand_file_adinicb(struct inode *inode)
.nr_to_write = 1,
};
+ WARN_ON_ONCE(!mutex_is_locked(&inode->i_mutex));
if (!iinfo->i_lenAlloc) {
if (UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_USE_SHORT_AD))
iinfo->i_alloc_type = ICBTAG_FLAG_AD_SHORT;