| Message ID | 20220118095753.627-2-jack@suse.cz |
|---|---|
| State | Accepted |
| Commit | ea8569194b43f0f01f0a84c689388542c7254a1f |
| Headers | show |
| Series | [1/2] udf: Fix NULL ptr deref when converting from inline format | expand |
On Tue, Jan 18, 2022 at 10:57:48AM +0100, Jan Kara wrote: > When we fail to expand inode from inline format to a normal format, we > restore inode to contain the original inline formatting but we forgot to > set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then > causing further problems such as warnings and lost data down the line. Looks good, Reviewed-by: Christoph Hellwig <hch@lst.de> Btw, how did the reported even hit that failure in a way where the file system continues working? If we fail to write back data we'd probably better stop modifying anything and bail out..
On Thu 20-01-22 01:06:03, Christoph Hellwig wrote: > On Tue, Jan 18, 2022 at 10:57:48AM +0100, Jan Kara wrote: > > When we fail to expand inode from inline format to a normal format, we > > restore inode to contain the original inline formatting but we forgot to > > set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then > > causing further problems such as warnings and lost data down the line. > > Looks good, > > Reviewed-by: Christoph Hellwig <hch@lst.de> > > Btw, how did the reported even hit that failure in a way where the > file system continues working? If we fail to write back data we'd > probably better stop modifying anything and bail out.. We can fail the expansion from inline to out-of-line format e.g. when the filesystem is full (ENOSPC). So we have to handle that case gracefully and the filesystem should be fully operational after this. Thanks for review! Honza
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index d6aa506b6b58..ea8f6cd01f50 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -315,6 +315,7 @@ int udf_expand_file_adinicb(struct inode *inode) unlock_page(page); iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; inode->i_data.a_ops = &udf_adinicb_aops; + iinfo->i_lenAlloc = inode->i_size; up_write(&iinfo->i_data_sem); } put_page(page);
When we fail to expand inode from inline format to a normal format, we restore inode to contain the original inline formatting but we forgot to set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then causing further problems such as warnings and lost data down the line. Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com> CC: stable@vger.kernel.org Fixes: 7e49b6f2480c ("udf: Convert UDF to new truncate calling sequence") Signed-off-by: Jan Kara <jack@suse.cz> --- fs/udf/inode.c | 1 + 1 file changed, 1 insertion(+)