From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Ralph Sennhauser <ralph.sennhauser@gmail.com>,
Amir Goldstein <amir73il@gmail.com>,
Richard Weinberger <richard@nod.at>
Subject: [PATCH 4.9 14/21] ubifs: Fix O_TMPFILE corner case in ubifs_link()
Date: Tue, 25 Apr 2017 16:09:09 +0100 [thread overview]
Message-ID: <20170425150828.057224462@linuxfoundation.org> (raw)
In-Reply-To: <20170425150827.381333941@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit 32fe905c17f001c0eee13c59afddd0bf2eed509c upstream.
It is perfectly fine to link a tmpfile back using linkat().
Since tmpfiles are created with a link count of 0 they appear
on the orphan list, upon re-linking the inode has to be removed
from the orphan list again.
Ralph faced a filesystem corruption in combination with overlayfs
due to this bug.
Cc: Ralph Sennhauser <ralph.sennhauser@gmail.com>
Cc: Amir Goldstein <amir73il@gmail.com>
Reported-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
Tested-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
Reported-by: Amir Goldstein <amir73il@gmail.com>
Fixes: 474b93704f321 ("ubifs: Implement O_TMPFILE")
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ubifs/dir.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -622,6 +622,11 @@ static int ubifs_link(struct dentry *old
return err;
lock_2_inodes(dir, inode);
+
+ /* Handle O_TMPFILE corner case, it is allowed to link a O_TMPFILE. */
+ if (inode->i_nlink == 0)
+ ubifs_delete_orphan(c, inode->i_ino);
+
inc_nlink(inode);
ihold(inode);
inode->i_ctime = ubifs_current_time(inode);
@@ -641,6 +646,8 @@ out_cancel:
dir->i_size -= sz_change;
dir_ui->ui_size = dir->i_size;
drop_nlink(inode);
+ if (inode->i_nlink == 0)
+ ubifs_add_orphan(c, inode->i_ino);
unlock_2_inodes(dir, inode);
ubifs_release_budget(c, &req);
iput(inode);
next prev parent reply other threads:[~2017-04-25 15:29 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-25 15:08 [PATCH 4.9 00/21] 4.9.25-stable review Greg Kroah-Hartman
2017-04-25 15:08 ` [PATCH 4.9 01/21] KEYS: Disallow keyrings beginning with . to be joined as session keyrings Greg Kroah-Hartman
2017-04-25 15:08 ` [PATCH 4.9 02/21] KEYS: Change the name of the dead type to ".dead" to prevent user access Greg Kroah-Hartman
2017-04-25 15:08 ` [PATCH 4.9 03/21] KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings Greg Kroah-Hartman
2017-04-25 15:08 ` [PATCH 4.9 04/21] tracing: Allocate the snapshot buffer before enabling probe Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 05/21] ring-buffer: Have ring_buffer_iter_empty() return true when empty Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 06/21] mm: prevent NR_ISOLATE_* stats from going negative Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 07/21] cifs: Do not send echoes before Negotiate is complete Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 08/21] CIFS: remove bad_network_name flag Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 09/21] s390/mm: fix CMMA vs KSM vs others Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 10/21] Input: elantech - add Fujitsu Lifebook E547 to force crc_enabled Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 11/21] ACPI / power: Avoid maybe-uninitialized warning Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 12/21] mmc: sdhci-esdhc-imx: increase the pad I/O drive strength for DDR50 card Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 13/21] ubifs: Fix RENAME_WHITEOUT support Greg Kroah-Hartman
2017-04-25 15:09 ` Greg Kroah-Hartman [this message]
2017-04-25 15:09 ` [PATCH 4.9 15/21] mac80211: reject ToDS broadcast data frames Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 16/21] mac80211: fix MU-MIMO follow-MAC mode Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 17/21] ubi/upd: Always flush after prepared for an update Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 18/21] powerpc/kprobe: Fix oops when kprobed on stdu instruction Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 19/21] x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 21/21] device-dax: switch to srcu, fix rcu_read_lock() vs pte allocation Greg Kroah-Hartman
2017-04-25 18:24 ` [PATCH 4.9 00/21] 4.9.25-stable review Shuah Khan
2017-04-26 2:23 ` Guenter Roeck
-- strict thread matches above, loose matches on Subject: below --
2017-04-25 15:09 [4.9,20/21] x86/mce: Make the MCE notifier a blocking one Greg Kroah-Hartman
2017-04-25 15:09 ` [PATCH 4.9 20/21] " Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170425150828.057224462@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amir73il@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ralph.sennhauser@gmail.com \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.