quota: Fix possible corruption of dqi_flags
authorJan Kara <jack@suse.cz>
Fri, 9 Jun 2017 09:56:06 +0000 (11:56 +0200)
committerJan Kara <jack@suse.cz>
Thu, 17 Aug 2017 20:00:04 +0000 (22:00 +0200)
dqi_flags modifications are protected by dq_data_lock. However the
modifications in vfs_load_quota_inode() and in mark_info_dirty() were
not which could lead to corruption of dqi_flags. Since modifications to
dqi_flags are rare, this is hard to observe in practice but in theory it
could happen. Fix the problem by always using dq_data_lock for
protection.

Signed-off-by: Jan Kara <jack@suse.cz>
fs/quota/dquot.c
fs/quota/quota_v1.c

index 5e77c4da69a63f40063ce4545e5b1216b06ef4a9..e1a155e8db155fdd221029933daf0cac4a6bbe75 100644 (file)
@@ -389,7 +389,9 @@ static inline int clear_dquot_dirty(struct dquot *dquot)
 
 void mark_info_dirty(struct super_block *sb, int type)
 {
 
 void mark_info_dirty(struct super_block *sb, int type)
 {
-       set_bit(DQF_INFO_DIRTY_B, &sb_dqopt(sb)->info[type].dqi_flags);
+       spin_lock(&dq_data_lock);
+       sb_dqopt(sb)->info[type].dqi_flags |= DQF_INFO_DIRTY;
+       spin_unlock(&dq_data_lock);
 }
 EXPORT_SYMBOL(mark_info_dirty);
 
 }
 EXPORT_SYMBOL(mark_info_dirty);
 
@@ -2316,8 +2318,11 @@ static int vfs_load_quota_inode(struct inode *inode, int type, int format_id,
        error = dqopt->ops[type]->read_file_info(sb, type);
        if (error < 0)
                goto out_file_init;
        error = dqopt->ops[type]->read_file_info(sb, type);
        if (error < 0)
                goto out_file_init;
-       if (dqopt->flags & DQUOT_QUOTA_SYS_FILE)
+       if (dqopt->flags & DQUOT_QUOTA_SYS_FILE) {
+               spin_lock(&dq_data_lock);
                dqopt->info[type].dqi_flags |= DQF_SYS_FILE;
                dqopt->info[type].dqi_flags |= DQF_SYS_FILE;
+               spin_unlock(&dq_data_lock);
+       }
        spin_lock(&dq_state_lock);
        dqopt->flags |= dquot_state_flag(flags, type);
        spin_unlock(&dq_state_lock);
        spin_lock(&dq_state_lock);
        dqopt->flags |= dquot_state_flag(flags, type);
        spin_unlock(&dq_state_lock);
index b2d8e04e567a416869587f2bbbb36cfa0909d8aa..7ac5298aba70bc7d48c96d85fae88759a7680eb8 100644 (file)
@@ -189,7 +189,6 @@ static int v1_write_file_info(struct super_block *sb, int type)
        int ret;
 
        down_write(&dqopt->dqio_sem);
        int ret;
 
        down_write(&dqopt->dqio_sem);
-       dqopt->info[type].dqi_flags &= ~DQF_INFO_DIRTY;
        ret = sb->s_op->quota_read(sb, type, (char *)&dqblk,
                                sizeof(struct v1_disk_dqblk), v1_dqoff(0));
        if (ret != sizeof(struct v1_disk_dqblk)) {
        ret = sb->s_op->quota_read(sb, type, (char *)&dqblk,
                                sizeof(struct v1_disk_dqblk), v1_dqoff(0));
        if (ret != sizeof(struct v1_disk_dqblk)) {
@@ -197,8 +196,11 @@ static int v1_write_file_info(struct super_block *sb, int type)
                        ret = -EIO;
                goto out;
        }
                        ret = -EIO;
                goto out;
        }
+       spin_lock(&dq_data_lock);
+       dqopt->info[type].dqi_flags &= ~DQF_INFO_DIRTY;
        dqblk.dqb_itime = dqopt->info[type].dqi_igrace;
        dqblk.dqb_btime = dqopt->info[type].dqi_bgrace;
        dqblk.dqb_itime = dqopt->info[type].dqi_igrace;
        dqblk.dqb_btime = dqopt->info[type].dqi_bgrace;
+       spin_unlock(&dq_data_lock);
        ret = sb->s_op->quota_write(sb, type, (char *)&dqblk,
              sizeof(struct v1_disk_dqblk), v1_dqoff(0));
        if (ret == sizeof(struct v1_disk_dqblk))
        ret = sb->s_op->quota_write(sb, type, (char *)&dqblk,
              sizeof(struct v1_disk_dqblk), v1_dqoff(0));
        if (ret == sizeof(struct v1_disk_dqblk))