| From 32fe905c17f001c0eee13c59afddd0bf2eed509c Mon Sep 17 00:00:00 2001 |
| From: Richard Weinberger <richard@nod.at> |
| Date: Thu, 30 Mar 2017 10:50:49 +0200 |
| Subject: [PATCH] ubifs: Fix O_TMPFILE corner case in ubifs_link() |
| |
| commit 32fe905c17f001c0eee13c59afddd0bf2eed509c upstream. |
| |
| It is perfectly fine to link a tmpfile back using linkat(). |
| Since tmpfiles are created with a link count of 0 they appear |
| on the orphan list, upon re-linking the inode has to be removed |
| from the orphan list again. |
| |
| Ralph faced a filesystem corruption in combination with overlayfs |
| due to this bug. |
| |
| Cc: <stable@vger.kernel.org> |
| Cc: Ralph Sennhauser <ralph.sennhauser@gmail.com> |
| Cc: Amir Goldstein <amir73il@gmail.com> |
| Reported-by: Ralph Sennhauser <ralph.sennhauser@gmail.com> |
| Tested-by: Ralph Sennhauser <ralph.sennhauser@gmail.com> |
| Reported-by: Amir Goldstein <amir73il@gmail.com> |
| Fixes: 474b93704f321 ("ubifs: Implement O_TMPFILE") |
| Signed-off-by: Richard Weinberger <richard@nod.at> |
| |
| diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c |
| index 0858213a4e63..b777bddaa1dd 100644 |
| --- a/fs/ubifs/dir.c |
| +++ b/fs/ubifs/dir.c |
| @@ -748,6 +748,11 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir, |
| goto out_fname; |
| |
| lock_2_inodes(dir, inode); |
| + |
| + /* Handle O_TMPFILE corner case, it is allowed to link a O_TMPFILE. */ |
| + if (inode->i_nlink == 0) |
| + ubifs_delete_orphan(c, inode->i_ino); |
| + |
| inc_nlink(inode); |
| ihold(inode); |
| inode->i_ctime = ubifs_current_time(inode); |
| @@ -768,6 +773,8 @@ out_cancel: |
| dir->i_size -= sz_change; |
| dir_ui->ui_size = dir->i_size; |
| drop_nlink(inode); |
| + if (inode->i_nlink == 0) |
| + ubifs_add_orphan(c, inode->i_ino); |
| unlock_2_inodes(dir, inode); |
| ubifs_release_budget(c, &req); |
| iput(inode); |
| -- |
| 2.12.0 |
| |
