Patch "xfs: fix toctou race when locking an inode to access the data map" has been added to the 4.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    xfs: fix toctou race when locking an inode to access the data map

to the 4.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfs-fix-toctou-race-when-locking-an-inode-to-access-the-data-map.patch
and it can be found in the queue-4.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 4b5bd5bf3fb182dc504b1b64e0331300f156e756 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@xxxxxxxxxx>
Date: Thu, 2 Feb 2017 15:13:57 -0800
Subject: xfs: fix toctou race when locking an inode to access the data map

From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>

commit 4b5bd5bf3fb182dc504b1b64e0331300f156e756 upstream.

We use di_format and if_flags to decide whether we're grabbing the ilock
in btree mode (btree extents not loaded) or shared mode (anything else),
but the state of those fields can be changed by other threads that are
also trying to load the btree extents -- IFEXTENTS gets set before the
_bmap_read_extents call and cleared if it fails.

We don't actually need to have IFEXTENTS set until after the bmbt
records are successfully loaded and validated, which will fix the race
between multiple threads trying to read the same directory.  The next
patch strengthens directory bmbt validation by refusing to open the
directory if reading the bmbt to start directory readahead fails.

Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Reviewed-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 fs/xfs/libxfs/xfs_inode_fork.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/fs/xfs/libxfs/xfs_inode_fork.c
+++ b/fs/xfs/libxfs/xfs_inode_fork.c
@@ -497,15 +497,14 @@ xfs_iread_extents(
 	 * We know that the size is valid (it's checked in iformat_btree)
 	 */
 	ifp->if_bytes = ifp->if_real_bytes = 0;
-	ifp->if_flags |= XFS_IFEXTENTS;
 	xfs_iext_add(ifp, 0, nextents);
 	error = xfs_bmap_read_extents(tp, ip, whichfork);
 	if (error) {
 		xfs_iext_destroy(ifp);
-		ifp->if_flags &= ~XFS_IFEXTENTS;
 		return error;
 	}
 	xfs_validate_extents(ifp, nextents, XFS_EXTFMT_INODE(ip));
+	ifp->if_flags |= XFS_IFEXTENTS;
 	return 0;
 }
 /*


Patches currently in stable-queue which might be from darrick.wong@xxxxxxxxxx are

queue-4.10/xfs-correct-null-checks-and-error-processing-in-xfs_initialize_perag.patch
queue-4.10/xfs-mark-speculative-prealloc-cow-fork-extents-unwritten.patch
queue-4.10/xfs-fix-toctou-race-when-locking-an-inode-to-access-the-data-map.patch
queue-4.10/xfs-use-iomap-new-flag-for-newly-allocated-delalloc-blocks.patch
queue-4.10/xfs-handle-indlen-shortage-on-delalloc-extent-merge.patch
queue-4.10/xfs-reject-all-unaligned-direct-writes-to-reflinked-files.patch
queue-4.10/xfs-allow-unwritten-extents-in-the-cow-fork.patch
queue-4.10/xfs-tune-down-agno-asserts-in-the-bmap-code.patch
queue-4.10/xfs-verify-free-block-header-fields.patch
queue-4.10/xfs-check-for-obviously-bad-level-values-in-the-bmbt-root.patch
queue-4.10/xfs-don-t-fail-xfs_extent_busy-allocation.patch
queue-4.10/xfs-sync-eofblocks-scans-under-iolock-are-livelock-prone.patch
queue-4.10/xfs-pull-up-iolock-from-xfs_free_eofblocks.patch
queue-4.10/xfs-fail-_dir_open-when-readahead-fails.patch
queue-4.10/xfs-reset-b_first_retry_time-when-clear-the-retry-status-of-xfs_buf_t.patch
queue-4.10/xfs-update-ctime-and-mtime-on-clone-destinatation-inodes.patch
queue-4.10/xfs-split-indlen-reservations-fairly-when-under-reserved.patch
queue-4.10/xfs-filter-out-obviously-bad-btree-pointers.patch
queue-4.10/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-chunk-alignment.patch
queue-4.10/xfs-only-reclaim-unwritten-cow-extents-periodically.patch
queue-4.10/xfs-try-any-ag-when-allocating-the-first-btree-block-when-reflinking.patch
queue-4.10/xfs-fix-and-streamline-error-handling-in-xfs_end_io.patch
queue-4.10/xfs-fix-eofblocks-race-with-file-extending-async-dio-writes.patch
queue-4.10/xfs-fix-uninitialized-variable-in-_reflink_convert_cow.patch
queue-4.10/xfs-don-t-reserve-blocks-for-right-shift-transactions.patch
queue-4.10/xfs-use-xfs_icluster_size_fsb-to-calculate-inode-alignment-mask.patch
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]