Commit e9b5bd0c authored by Jan Kara's avatar Jan Kara Committed by Yifan Qiao
Browse files

udf: Fix preallocation discarding at indirect extent boundary 

stable inclusion
from stable-v5.10.161
commit 1a075f4a549481ce6e8518d8379f193ccec6b746
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRES
CVE: CVE-2022-48946

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1a075f4a549481ce6e8518d8379f193ccec6b746



--------------------------------

commit cfe4c1b2 upstream.

When preallocation extent is the first one in the extent block, the
code would corrupt extent tree header instead. Fix the problem and use
udf_delete_aext() for deleting extent to avoid some code duplication.

CC: stable@vger.kernel.org
Signed-off-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarYifan Qiao <qiaoyifan4@huawei.com>
parent d1efa173

fs/udf/truncate.c

+13 −32
Original line number Diff line number Diff line
@@ -120,60 +120,41 @@ void udf_truncate_tail_extent(struct inode *inode) 


void udf_discard_prealloc(struct inode *inode)

{

	struct extent_position epos = { NULL, 0, {0, 0} };

	struct extent_position epos = {};

	struct extent_position prev_epos = {};

	struct kernel_lb_addr eloc;

	uint32_t elen;

	uint64_t lbcount = 0;

	int8_t etype = -1, netype;

	int adsize;

	struct udf_inode_info *iinfo = UDF_I(inode);



	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB ||

	    inode->i_size == iinfo->i_lenExtents)

		return;



	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_SHORT)

		adsize = sizeof(struct short_ad);

	else if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_LONG)

		adsize = sizeof(struct long_ad);

	else

		adsize = 0;



	epos.block = iinfo->i_location;



	/* Find the last extent in the file */

	while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 1)) != -1) {

		etype = netype;

	while ((netype = udf_next_aext(inode, &epos, &eloc, &elen, 0)) != -1) {

		brelse(prev_epos.bh);

		prev_epos = epos;

		if (prev_epos.bh)

			get_bh(prev_epos.bh);



		etype = udf_next_aext(inode, &epos, &eloc, &elen, 1);

		lbcount += elen;

	}

	if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30)) {

		epos.offset -= adsize;

		lbcount -= elen;

		extent_trunc(inode, &epos, &eloc, etype, elen, 0);

		if (!epos.bh) {

			iinfo->i_lenAlloc =

				epos.offset -

				udf_file_entry_alloc_offset(inode);

			mark_inode_dirty(inode);

		} else {

			struct allocExtDesc *aed =

				(struct allocExtDesc *)(epos.bh->b_data);

			aed->lengthAllocDescs =

				cpu_to_le32(epos.offset -

					    sizeof(struct allocExtDesc));

			if (!UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_STRICT) ||

			    UDF_SB(inode->i_sb)->s_udfrev >= 0x0201)

				udf_update_tag(epos.bh->b_data, epos.offset);

			else

				udf_update_tag(epos.bh->b_data,

					       sizeof(struct allocExtDesc));

			mark_buffer_dirty_inode(epos.bh, inode);

		}

		udf_delete_aext(inode, prev_epos);

		udf_free_blocks(inode->i_sb, inode, &eloc, 0,

				DIV_ROUND_UP(elen, 1 << inode->i_blkbits));

	}

	/* This inode entry is in-memory only and thus we don't have to mark

	 * the inode dirty */

	iinfo->i_lenExtents = lbcount;

	brelse(epos.bh);

	brelse(prev_epos.bh);

}



static void udf_update_alloc_ext_desc(struct inode *inode,