Skip to content

Commit 102e57d

Browse files
jankarajankara
committed
udf: Fix race between file type conversion and writeback
udf_setsize() can race with udf_writepages() as follows: udf_setsize() udf_writepages() if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) err = udf_expand_file_adinicb(inode); err = udf_extend_file(inode, newsize); udf_adinicb_writepages() memcpy_from_file_folio() - crash because inode size is too big. Fix the problem by checking the file type under folio lock in udf_handle_page_wb() handler called from __mpage_writepages() which properly serializes with udf_expand_file_adinicb(). Reported-by: Jianzhou Zhao <luckd0g@163.com> Link: https://lore.kernel.org/all/f622c01.67ac.19cdbdd777d.Coremail.luckd0g@163.com Reviewed-by: Christoph Hellwig <hch@lst.de> Link: https://patch.msgid.link/20260326140635.15895-4-jack@suse.cz Signed-off-by: Jan Kara <jack@suse.cz>
1 parent fffca57 commit 102e57d

1 file changed

Lines changed: 15 additions & 18 deletions

File tree

fs/udf/inode.c

Lines changed: 15 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -181,35 +181,32 @@ static void udf_write_failed(struct address_space *mapping, loff_t to)
181181
}
182182
}
183183

184-
static int udf_adinicb_writepages(struct address_space *mapping,
185-
struct writeback_control *wbc)
184+
static int udf_handle_page_wb(struct folio *folio,
185+
struct writeback_control *wbc)
186186
{
187-
struct inode *inode = mapping->host;
187+
struct inode *inode = folio->mapping->host;
188188
struct udf_inode_info *iinfo = UDF_I(inode);
189-
struct folio *folio = NULL;
190-
int error = 0;
191189

192-
while ((folio = writeback_iter(mapping, wbc, folio, &error))) {
193-
BUG_ON(!folio_test_locked(folio));
194-
BUG_ON(folio->index != 0);
195-
memcpy_from_file_folio(iinfo->i_data + iinfo->i_lenEAttr, folio,
196-
0, i_size_read(inode));
197-
folio_unlock(folio);
198-
}
190+
/*
191+
* Inodes in the normal format are handled by the generic code. This
192+
* check is race-free as the folio lock protects us from inode type
193+
* conversion.
194+
*/
195+
if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB)
196+
return 1;
199197

198+
memcpy_from_file_folio(iinfo->i_data + iinfo->i_lenEAttr, folio,
199+
0, i_size_read(inode));
200+
folio_unlock(folio);
200201
mark_inode_dirty(inode);
201202
return 0;
202203
}
203204

204205
static int udf_writepages(struct address_space *mapping,
205206
struct writeback_control *wbc)
206207
{
207-
struct inode *inode = mapping->host;
208-
struct udf_inode_info *iinfo = UDF_I(inode);
209-
210-
if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB)
211-
return udf_adinicb_writepages(mapping, wbc);
212-
return mpage_writepages(mapping, wbc, udf_get_block_wb);
208+
return __mpage_writepages(mapping, wbc, udf_get_block_wb,
209+
udf_handle_page_wb);
213210
}
214211

215212
static void udf_adinicb_read_folio(struct folio *folio)

0 commit comments

Comments
 (0)