From: Jan Kara <jack@xxxxxxx>
[ Upstream commit e9109a92d2a95889498bed3719cd2318892171a2 ]
Convert udf_rename() to use new directory iteration code.
Reported-by: syzbot+0eaad3590d65102b9391@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: syzbot+b7fc73213bc2361ab650@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Jan Kara <jack@xxxxxxx>
[cascardo: remove the call to udf_rename_tag per commit
27ab33854873 ("udf: Fix bogus checksum computation in udf_rename()")]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/udf/namei.c | 166 ++++++++++++++++++++++++++-------------------------------
1 file changed, 78 insertions(+), 88 deletions(-)
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -1238,78 +1238,68 @@ static int udf_rename(struct user_namesp
{
struct inode *old_inode = d_inode(old_dentry);
struct inode *new_inode = d_inode(new_dentry);
- struct udf_fileident_bh ofibh, nfibh;
- struct fileIdentDesc *ofi = NULL, *nfi = NULL, *dir_fi = NULL;
- struct fileIdentDesc ocfi, ncfi;
- struct buffer_head *dir_bh = NULL;
- int retval = -ENOENT;
+ struct udf_fileident_iter oiter, niter, diriter;
+ bool has_diriter = false;
+ int retval;
struct kernel_lb_addr tloc;
- struct udf_inode_info *old_iinfo = UDF_I(old_inode);
if (flags & ~RENAME_NOREPLACE)
return -EINVAL;
- ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
- if (!ofi || IS_ERR(ofi)) {
- if (IS_ERR(ofi))
- retval = PTR_ERR(ofi);
- goto end_rename;
- }
-
- if (ofibh.sbh != ofibh.ebh)
- brelse(ofibh.ebh);
-
- brelse(ofibh.sbh);
- tloc = lelb_to_cpu(ocfi.icb.extLocation);
- if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino)
- goto end_rename;
-
- nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi);
- if (IS_ERR(nfi)) {
- retval = PTR_ERR(nfi);
- goto end_rename;
- }
- if (nfi && !new_inode) {
- if (nfibh.sbh != nfibh.ebh)
- brelse(nfibh.ebh);
- brelse(nfibh.sbh);
- nfi = NULL;
+ retval = udf_fiiter_find_entry(old_dir, &old_dentry->d_name, &oiter);
+ if (retval)
+ return retval;
+
+ tloc = lelb_to_cpu(oiter.fi.icb.extLocation);
+ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino) {
+ retval = -ENOENT;
+ goto out_oiter;
}
- if (S_ISDIR(old_inode->i_mode)) {
- int offset = udf_ext0_offset(old_inode);
+ if (S_ISDIR(old_inode->i_mode)) {
if (new_inode) {
retval = -ENOTEMPTY;
if (!empty_dir(new_inode))
- goto end_rename;
+ goto out_oiter;
}
- retval = -EIO;
- if (old_iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
- dir_fi = udf_get_fileident(
- old_iinfo->i_data -
- (old_iinfo->i_efe ?
- sizeof(struct extendedFileEntry) :
- sizeof(struct fileEntry)),
- old_inode->i_sb->s_blocksize, &offset);
- } else {
- dir_bh = udf_bread(old_inode, 0, 0, &retval);
- if (!dir_bh)
- goto end_rename;
- dir_fi = udf_get_fileident(dir_bh->b_data,
- old_inode->i_sb->s_blocksize, &offset);
+ retval = udf_fiiter_find_entry(old_inode, &dotdot_name,
+ &diriter);
+ if (retval == -ENOENT) {
+ udf_err(old_inode->i_sb,
+ "directory (ino %lu) has no '..' entry\n",
+ old_inode->i_ino);
+ retval = -EFSCORRUPTED;
}
- if (!dir_fi)
- goto end_rename;
- tloc = lelb_to_cpu(dir_fi->icb.extLocation);
+ if (retval)
+ goto out_oiter;
+ has_diriter = true;
+ tloc = lelb_to_cpu(diriter.fi.icb.extLocation);
if (udf_get_lb_pblock(old_inode->i_sb, &tloc, 0) !=
- old_dir->i_ino)
- goto end_rename;
+ old_dir->i_ino) {
+ retval = -EFSCORRUPTED;
+ udf_err(old_inode->i_sb,
+ "directory (ino %lu) has parent entry pointing to another inode (%lu != %u)\n",
+ old_inode->i_ino, old_dir->i_ino,
+ udf_get_lb_pblock(old_inode->i_sb, &tloc, 0));
+ goto out_oiter;
+ }
}
- if (!nfi) {
- nfi = udf_add_entry(new_dir, new_dentry, &nfibh, &ncfi,
- &retval);
- if (!nfi)
- goto end_rename;
+
+ retval = udf_fiiter_find_entry(new_dir, &new_dentry->d_name, &niter);
+ if (retval && retval != -ENOENT)
+ goto out_oiter;
+ /* Entry found but not passed by VFS? */
+ if (!retval && !new_inode) {
+ retval = -EFSCORRUPTED;
+ udf_fiiter_release(&niter);
+ goto out_oiter;
+ }
+ /* Entry not found? Need to add one... */
+ if (retval) {
+ udf_fiiter_release(&niter);
+ retval = udf_fiiter_add_entry(new_dir, new_dentry, &niter);
+ if (retval)
+ goto out_oiter;
}
/*
@@ -1322,14 +1312,26 @@ static int udf_rename(struct user_namesp
/*
* ok, that's it
*/
- ncfi.fileVersionNum = ocfi.fileVersionNum;
- ncfi.fileCharacteristics = ocfi.fileCharacteristics;
- memcpy(&(ncfi.icb), &(ocfi.icb), sizeof(ocfi.icb));
- udf_write_fi(new_dir, &ncfi, nfi, &nfibh, NULL, NULL);
-
- /* The old fid may have moved - find it again */
- ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
- udf_delete_entry(old_dir, ofi, &ofibh, &ocfi);
+ niter.fi.fileVersionNum = oiter.fi.fileVersionNum;
+ niter.fi.fileCharacteristics = oiter.fi.fileCharacteristics;
+ memcpy(&(niter.fi.icb), &(oiter.fi.icb), sizeof(oiter.fi.icb));
+ udf_fiiter_write_fi(&niter, NULL);
+ udf_fiiter_release(&niter);
+
+ /*
+ * The old entry may have moved due to new entry allocation. Find it
+ * again.
+ */
+ udf_fiiter_release(&oiter);
+ retval = udf_fiiter_find_entry(old_dir, &old_dentry->d_name, &oiter);
+ if (retval) {
+ udf_err(old_dir->i_sb,
+ "failed to find renamed entry again in directory (ino %lu)\n",
+ old_dir->i_ino);
+ } else {
+ udf_fiiter_delete_entry(&oiter);
+ udf_fiiter_release(&oiter);
+ }
if (new_inode) {
new_inode->i_ctime = current_time(new_inode);
@@ -1340,12 +1342,11 @@ static int udf_rename(struct user_namesp
mark_inode_dirty(old_dir);
mark_inode_dirty(new_dir);
- if (dir_fi) {
- dir_fi->icb.extLocation = cpu_to_lelb(UDF_I(new_dir)->i_location);
- if (old_iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB)
- mark_inode_dirty(old_inode);
- else
- mark_buffer_dirty_inode(dir_bh, old_inode);
+ if (has_diriter) {
+ diriter.fi.icb.extLocation =
+ cpu_to_lelb(UDF_I(new_dir)->i_location);
+ udf_fiiter_write_fi(&diriter, NULL);
+ udf_fiiter_release(&diriter);
inode_dec_link_count(old_dir);
if (new_inode)
@@ -1355,22 +1356,11 @@ static int udf_rename(struct user_namesp
mark_inode_dirty(new_dir);
}
}
-
- if (ofi) {
- if (ofibh.sbh != ofibh.ebh)
- brelse(ofibh.ebh);
- brelse(ofibh.sbh);
- }
-
- retval = 0;
-
-end_rename:
- brelse(dir_bh);
- if (nfi) {
- if (nfibh.sbh != nfibh.ebh)
- brelse(nfibh.ebh);
- brelse(nfibh.sbh);
- }
+ return 0;
+out_oiter:
+ if (has_diriter)
+ udf_fiiter_release(&diriter);
+ udf_fiiter_release(&oiter);
return retval;
}
Patches currently in stable-queue which might be from cascardo@xxxxxxxxxx are
queue-6.1/udf-handle-error-when-expanding-directory.patch
queue-6.1/udf-convert-empty_dir-to-new-directory-iteration-code.patch
queue-6.1/udf-convert-udf_expand_dir_adinicb-to-new-directory-iteration.patch
queue-6.1/udf-convert-udf_unlink-to-new-directory-iteration-code.patch
queue-6.1/udf-convert-udf_add_nondir-to-new-directory-iteration.patch
queue-6.1/udf-convert-udf_link-to-new-directory-iteration-code.patch
queue-6.1/udf-remove-old-directory-iteration-code.patch
queue-6.1/udf-don-t-return-bh-from-udf_expand_dir_adinicb.patch
queue-6.1/udf-new-directory-iteration-code.patch
queue-6.1/udf-convert-udf_rmdir-to-new-directory-iteration-code.patch
queue-6.1/udf-move-udf_expand_dir_adinicb-to-its-callsite.patch
queue-6.1/udf-convert-udf_readdir-to-new-directory-iteration.patch
queue-6.1/udf-convert-udf_mkdir-to-new-directory-iteration-code.patch
queue-6.1/udf-provide-function-to-mark-entry-as-deleted-using-new-directory-iteration-code.patch
queue-6.1/udf-convert-udf_lookup-to-use-new-directory-iteration-code.patch
queue-6.1/udf-implement-adding-of-dir-entries-using-new-iteration-code.patch
queue-6.1/udf-convert-udf_rename-to-new-directory-iteration-code.patch
queue-6.1/udf-convert-udf_get_parent-to-new-directory-iteration-code.patch
queue-6.1/udf-implement-searching-for-directory-entry-using-new-iteration-code.patch
