09ebb17ab4
UDF has two types of files - files with data stored in inode (ICB in UDF terminology) and files with data stored in external data blocks. We convert file from in-inode format to external format in udf_file_aio_write() when we find out data won't fit into inode any longer. However the following race between two O_APPEND writes can happen: CPU1 CPU2 udf_file_aio_write() udf_file_aio_write() down_write(&iinfo->i_data_sem); checks that i_size + count1 fits within inode => no need to convert up_write(&iinfo->i_data_sem); down_write(&iinfo->i_data_sem); checks that i_size + count2 fits within inode => no need to convert up_write(&iinfo->i_data_sem); generic_file_aio_write() - extends file by count1 bytes generic_file_aio_write() - extends file by count2 bytes Clearly if count1 + count2 doesn't fit into the inode, we overwrite kernel buffers beyond inode, possibly corrupting the filesystem as well. Fix the problem by acquiring i_mutex before checking whether write fits into the inode and using __generic_file_aio_write() afterwards which puts check and write into one critical section. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Jan Kara <jack@suse.cz> |
||
---|---|---|
.. | ||
balloc.c | ||
dir.c | ||
directory.c | ||
ecma_167.h | ||
file.c | ||
ialloc.c | ||
inode.c | ||
Kconfig | ||
lowlevel.c | ||
Makefile | ||
misc.c | ||
namei.c | ||
osta_udf.h | ||
partition.c | ||
super.c | ||
symlink.c | ||
truncate.c | ||
udf_i.h | ||
udf_sb.h | ||
udfdecl.h | ||
udfend.h | ||
udftime.c | ||
unicode.c |