Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp2966289imm; Sun, 1 Jul 2018 09:19:17 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLlH+enF/MYgQwZN5uwCe5VrndfzYcp6iovADW//6cn96smwrL7rbrH91BEuDHQ//1hXopn X-Received: by 2002:a65:5c4b:: with SMTP id v11-v6mr19213934pgr.445.1530461957830; Sun, 01 Jul 2018 09:19:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530461957; cv=none; d=google.com; s=arc-20160816; b=tgexq5raUk8+IIuiYz3RaigtJY1BxTBRRBQ3Pjez7in0sFK5YOU7i2ijjvT27pR7aj H6i72D04DB2q6rM+dnkwdrIGcsqGsMN7SxZJXCy0UAC6oE6DnbnsWYdAZaHrGUzledMF aprMTwfGLVXprp9zPalwau1T4WckCIb2CJOqHOVUiOppX0ohDuTZxWjjI0s/IlZQOerI SWdQD7gvyZVeXP9ZLlYIsiZ+x0TGcwAHyh6FUikno11h6H95V+qW1FVFZ+U/tsknDclk UjDzR9EW1PuNd8iuG8NMto3capkZn9xfqBNz5kSWjuMdTGHpUYuP3eFdQw3kATN5NdRB CiDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=JuVian4G5KIFaZsY0EgM+R1CymhGj3UJGMOFeOKcx10=; b=JhvHW+qNQyJnazj6l53y/vDlVYScHRc1aLEtbNH52+gn/Kb+3uiA/r7r+7cH6aqIWQ Fpsd0CGBMkXc7jBkcu95QqwDyFIi/pDz8NO8KWX0Bra/obbrr05wWH9+unw0oiB2RE4Q +QbMyQPoTan5PX91GJEYtethUPvqQO0ATVDr2brHm0Fwaj2gQtuxarefLEQSJa6dvT18 H4gbmaHQ8j9QeWb2W/6zt8DkK0+fYyjdPD2JhN+LJlMNJN6wRvrRIYbaAb9dmQ3z4qWB Xq8M0MBdDOyAgm3/UCk6pviNJiE0Fo416IXnEAMcXkARn2JHFt/Nw9rtk/9PwKt7rlmx lULw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q185-v6si13985462pfb.216.2018.07.01.09.19.03; Sun, 01 Jul 2018 09:19:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964845AbeGAQRm (ORCPT + 99 others); Sun, 1 Jul 2018 12:17:42 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:32858 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964830AbeGAQRj (ORCPT ); Sun, 1 Jul 2018 12:17:39 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E64FF49B; Sun, 1 Jul 2018 16:17:38 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Omar Sandoval , Nikolay Borisov , David Sterba Subject: [PATCH 4.4 061/105] Btrfs: fix clone vs chattr NODATASUM race Date: Sun, 1 Jul 2018 18:02:11 +0200 Message-Id: <20180701153153.923725936@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180701153149.382300170@linuxfoundation.org> References: <20180701153149.382300170@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Omar Sandoval commit b5c40d598f5408bd0ca22dfffa82f03cd9433f23 upstream. In btrfs_clone_files(), we must check the NODATASUM flag while the inodes are locked. Otherwise, it's possible that btrfs_ioctl_setflags() will change the flags after we check and we can end up with a party checksummed file. The race window is only a few instructions in size, between the if and the locks which is: 3834 if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) 3835 return -EISDIR; where the setflags must be run and toggle the NODATASUM flag (provided the file size is 0). The clone will block on the inode lock, segflags takes the inode lock, changes flags, releases log and clone continues. Not impossible but still needs a lot of bad luck to hit unintentionally. Fixes: 0e7b824c4ef9 ("Btrfs: don't make a file partly checksummed through file clone") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Omar Sandoval Reviewed-by: Nikolay Borisov Reviewed-by: David Sterba [ update changelog ] Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman [ adjusted for 4.4 ] Signed-off-by: Nikolay Borisov --- fs/btrfs/ioctl.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -3923,11 +3923,6 @@ static noinline long btrfs_ioctl_clone(s if (!(src_file.file->f_mode & FMODE_READ)) goto out_fput; - /* don't make the dst file partly checksummed */ - if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != - (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) - goto out_fput; - ret = -EISDIR; if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) goto out_fput; @@ -3942,6 +3937,13 @@ static noinline long btrfs_ioctl_clone(s mutex_lock(&src->i_mutex); } + /* don't make the dst file partly checksummed */ + if ((BTRFS_I(src)->flags & BTRFS_INODE_NODATASUM) != + (BTRFS_I(inode)->flags & BTRFS_INODE_NODATASUM)) { + ret = -EINVAL; + goto out_unlock; + } + /* determine range to clone */ ret = -EINVAL; if (off + len > src->i_size || off + len < off)