Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 15512377 authored by Jan Kara's avatar Jan Kara
Browse files

quota: Fix possible corruption of dqi_flags 



dqi_flags modifications are protected by dq_data_lock. However the
modifications in vfs_load_quota_inode() and in mark_info_dirty() were
not which could lead to corruption of dqi_flags. Since modifications to
dqi_flags are rare, this is hard to observe in practice but in theory it
could happen. Fix the problem by always using dq_data_lock for
protection.

Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent f98bbe37

fs/quota/dquot.c

+7 −2
Original line number Diff line number Diff line
@@ -389,7 +389,9 @@ static inline int clear_dquot_dirty(struct dquot *dquot) 


void mark_info_dirty(struct super_block *sb, int type)

{

	set_bit(DQF_INFO_DIRTY_B, &sb_dqopt(sb)->info[type].dqi_flags);

	spin_lock(&dq_data_lock);

	sb_dqopt(sb)->info[type].dqi_flags |= DQF_INFO_DIRTY;

	spin_unlock(&dq_data_lock);

}

EXPORT_SYMBOL(mark_info_dirty);
@@ -2316,8 +2318,11 @@ static int vfs_load_quota_inode(struct inode *inode, int type, int format_id, 
	error = dqopt->ops[type]->read_file_info(sb, type);

	if (error < 0)

		goto out_file_init;

	if (dqopt->flags & DQUOT_QUOTA_SYS_FILE)

	if (dqopt->flags & DQUOT_QUOTA_SYS_FILE) {

		spin_lock(&dq_data_lock);

		dqopt->info[type].dqi_flags |= DQF_SYS_FILE;

		spin_unlock(&dq_data_lock);

	}

	spin_lock(&dq_state_lock);

	dqopt->flags |= dquot_state_flag(flags, type);

	spin_unlock(&dq_state_lock);

fs/quota/quota_v1.c

+3 −1
Original line number Diff line number Diff line
@@ -189,7 +189,6 @@ static int v1_write_file_info(struct super_block *sb, int type) 
	int ret;



	down_write(&dqopt->dqio_sem);

	dqopt->info[type].dqi_flags &= ~DQF_INFO_DIRTY;

	ret = sb->s_op->quota_read(sb, type, (char *)&dqblk,

				sizeof(struct v1_disk_dqblk), v1_dqoff(0));

	if (ret != sizeof(struct v1_disk_dqblk)) {
@@ -197,8 +196,11 @@ static int v1_write_file_info(struct super_block *sb, int type) 
			ret = -EIO;

		goto out;

	}

	spin_lock(&dq_data_lock);

	dqopt->info[type].dqi_flags &= ~DQF_INFO_DIRTY;

	dqblk.dqb_itime = dqopt->info[type].dqi_igrace;

	dqblk.dqb_btime = dqopt->info[type].dqi_bgrace;

	spin_unlock(&dq_data_lock);

	ret = sb->s_op->quota_write(sb, type, (char *)&dqblk,

	      sizeof(struct v1_disk_dqblk), v1_dqoff(0));

	if (ret == sizeof(struct v1_disk_dqblk))