udf: limit the maximum number of indirect extents in a row

[pandora-kernel.git] / fs / udf / inode.c

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 4fd1d80..5d67e20 100644 (file)
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -151,6 +151,12 @@ const struct address_space_operations udf_aops = {
        .bmap           = udf_bmap,
 };
 
+/*
+ * Expand file stored in ICB to a normal one-block-file
+ *
+ * This function requires i_data_sem for writing and releases it.
+ * This function requires i_mutex held
+ */
 int udf_expand_file_adinicb(struct inode *inode)
 {
        struct page *page;
@@ -169,9 +175,15 @@ int udf_expand_file_adinicb(struct inode *inode)
                        iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG;
                /* from now on we have normal address_space methods */
                inode->i_data.a_ops = &udf_aops;
+               up_write(&iinfo->i_data_sem);
                mark_inode_dirty(inode);
                return 0;
        }
+       /*
+        * Release i_data_sem so that we can lock a page - page lock ranks
+        * above i_data_sem. i_mutex still protects us against file changes.
+        */
+       up_write(&iinfo->i_data_sem);
 
        page = find_or_create_page(inode->i_mapping, 0, GFP_NOFS);
        if (!page)
@@ -187,6 +199,7 @@ int udf_expand_file_adinicb(struct inode *inode)
                SetPageUptodate(page);
                kunmap(page);
        }
+       down_write(&iinfo->i_data_sem);
        memset(iinfo->i_ext.i_data + iinfo->i_lenEAttr, 0x00,
               iinfo->i_lenAlloc);
        iinfo->i_lenAlloc = 0;
@@ -196,17 +209,20 @@ int udf_expand_file_adinicb(struct inode *inode)
                iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG;
        /* from now on we have normal address_space methods */
        inode->i_data.a_ops = &udf_aops;
+       up_write(&iinfo->i_data_sem);
        err = inode->i_data.a_ops->writepage(page, &udf_wbc);
        if (err) {
                /* Restore everything back so that we don't lose data... */
                lock_page(page);
                kaddr = kmap(page);
+               down_write(&iinfo->i_data_sem);
                memcpy(iinfo->i_ext.i_data + iinfo->i_lenEAttr, kaddr,
                       inode->i_size);
                kunmap(page);
                unlock_page(page);
                iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
                inode->i_data.a_ops = &udf_adinicb_aops;
+               up_write(&iinfo->i_data_sem);
        }
        page_cache_release(page);
        mark_inode_dirty(inode);
@@ -565,6 +581,7 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block,
        struct udf_inode_info *iinfo = UDF_I(inode);
        int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
        int lastblock = 0;
+       bool isBeyondEOF;
 
        prev_epos.offset = udf_file_entry_alloc_offset(inode);
        prev_epos.block = iinfo->i_location;
@@ -643,7 +660,7 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block,
        /* Are we beyond EOF? */
        if (etype == -1) {
                int ret;
-
+               isBeyondEOF = 1;
                if (count) {
                        if (c)
                                laarr[0] = laarr[1];
@@ -686,6 +703,7 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block,
                endnum = c + 1;
                lastblock = 1;
        } else {
+               isBeyondEOF = 0;
                endnum = startnum = ((count > 2) ? 2 : count);
 
                /* if the current extent is in position 0,
@@ -728,10 +746,13 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block,
                                goal, err);
                if (!newblocknum) {
                        brelse(prev_epos.bh);
+                       brelse(cur_epos.bh);
+                       brelse(next_epos.bh);
                        *err = -ENOSPC;
                        return NULL;
                }
-               iinfo->i_lenExtents += inode->i_sb->s_blocksize;
+               if (isBeyondEOF)
+                       iinfo->i_lenExtents += inode->i_sb->s_blocksize;
        }
 
        /* if the extent the requsted block is located in contains multiple
@@ -758,6 +779,8 @@ static struct buffer_head *inode_getblk(struct inode *inode, sector_t block,
        udf_update_extents(inode, laarr, startnum, endnum, &prev_epos);
 
        brelse(prev_epos.bh);
+       brelse(cur_epos.bh);
+       brelse(next_epos.bh);
 
        newblock = udf_get_pblock(inode->i_sb, newblocknum,
                                iinfo->i_location.partitionReferenceNum, 0);
@@ -1111,10 +1134,9 @@ int udf_setsize(struct inode *inode, loff_t newsize)
                        if (bsize <
                            (udf_file_entry_alloc_offset(inode) + newsize)) {
                                err = udf_expand_file_adinicb(inode);
-                               if (err) {
-                                       up_write(&iinfo->i_data_sem);
+                               if (err)
                                        return err;
-                               }
+                               down_write(&iinfo->i_data_sem);
                        } else
                                iinfo->i_lenAlloc = newsize;
                }
@@ -1154,13 +1176,22 @@ update_time:
        return 0;
 }
 
+/*
+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
+ * arbitrary - just that we hopefully don't limit any real use of rewritten
+ * inode on write-once media but avoid looping for too long on corrupted media.
+ */
+#define UDF_MAX_ICB_NESTING 1024
+
 static void __udf_read_inode(struct inode *inode)
 {
        struct buffer_head *bh = NULL;
        struct fileEntry *fe;
        uint16_t ident;
        struct udf_inode_info *iinfo = UDF_I(inode);
+       unsigned int indirections = 0;
 
+reread:
        /*
         * Set defaults, but the inode is still incomplete!
         * Note: get_new_inode() sets the following on a new inode:
@@ -1197,28 +1228,26 @@ static void __udf_read_inode(struct inode *inode)
                ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
                                        &ident);
                if (ident == TAG_IDENT_IE && ibh) {
-                       struct buffer_head *nbh = NULL;
                        struct kernel_lb_addr loc;
                        struct indirectEntry *ie;
 
                        ie = (struct indirectEntry *)ibh->b_data;
                        loc = lelb_to_cpu(ie->indirectICB.extLocation);
 
-                       if (ie->indirectICB.extLength &&
-                               (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
-                                                       &ident))) {
-                               if (ident == TAG_IDENT_FE ||
-                                       ident == TAG_IDENT_EFE) {
-                                       memcpy(&iinfo->i_location,
-                                               &loc,
-                                               sizeof(struct kernel_lb_addr));
-                                       brelse(bh);
-                                       brelse(ibh);
-                                       brelse(nbh);
-                                       __udf_read_inode(inode);
+                       if (ie->indirectICB.extLength) {
+                               brelse(bh);
+                               brelse(ibh);
+                               memcpy(&iinfo->i_location, &loc,
+                                      sizeof(struct kernel_lb_addr));
+                               if (++indirections > UDF_MAX_ICB_NESTING) {
+                                       udf_err(inode->i_sb,
+                                               "too many ICBs in ICB hierarchy"
+                                               " (max %d supported)\n",
+                                               UDF_MAX_ICB_NESTING);
+                                       make_bad_inode(inode);
                                        return;
                                }
-                               brelse(nbh);
+                               goto reread;
                        }
                }
                brelse(ibh);
@@ -1242,6 +1271,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
        struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
        struct udf_inode_info *iinfo = UDF_I(inode);
        unsigned int link_count;
+       int bs = inode->i_sb->s_blocksize;
 
        fe = (struct fileEntry *)bh->b_data;
        efe = (struct extendedFileEntry *)bh->b_data;
@@ -1262,41 +1292,38 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
        if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
                iinfo->i_efe = 1;
                iinfo->i_use = 0;
-               if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+               if (udf_alloc_i_data(inode, bs -
                                        sizeof(struct extendedFileEntry))) {
                        make_bad_inode(inode);
                        return;
                }
                memcpy(iinfo->i_ext.i_data,
                       bh->b_data + sizeof(struct extendedFileEntry),
-                      inode->i_sb->s_blocksize -
-                                       sizeof(struct extendedFileEntry));
+                      bs - sizeof(struct extendedFileEntry));
        } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
                iinfo->i_efe = 0;
                iinfo->i_use = 0;
-               if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
-                                               sizeof(struct fileEntry))) {
+               if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) {
                        make_bad_inode(inode);
                        return;
                }
                memcpy(iinfo->i_ext.i_data,
                       bh->b_data + sizeof(struct fileEntry),
-                      inode->i_sb->s_blocksize - sizeof(struct fileEntry));
+                      bs - sizeof(struct fileEntry));
        } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
                iinfo->i_efe = 0;
                iinfo->i_use = 1;
                iinfo->i_lenAlloc = le32_to_cpu(
                                ((struct unallocSpaceEntry *)bh->b_data)->
                                 lengthAllocDescs);
-               if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+               if (udf_alloc_i_data(inode, bs -
                                        sizeof(struct unallocSpaceEntry))) {
                        make_bad_inode(inode);
                        return;
                }
                memcpy(iinfo->i_ext.i_data,
                       bh->b_data + sizeof(struct unallocSpaceEntry),
-                      inode->i_sb->s_blocksize -
-                                       sizeof(struct unallocSpaceEntry));
+                      bs - sizeof(struct unallocSpaceEntry));
                return;
        }
 
@@ -1374,6 +1401,36 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
                                                        iinfo->i_lenEAttr;
        }
 
+       /*
+        * Sanity check length of allocation descriptors and extended attrs to
+        * avoid integer overflows
+        */
+       if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
+               make_bad_inode(inode);
+               return;
+       }
+       /* Now do exact checks */
+       if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
+               make_bad_inode(inode);
+               return;
+       }
+       /* Sanity checks for files in ICB so that we don't get confused later */
+       if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+               /*
+                * For file in ICB data is stored in allocation descriptor
+                * so sizes should match
+                */
+               if (iinfo->i_lenAlloc != inode->i_size) {
+                       make_bad_inode(inode);
+                       return;
+               }
+               /* File in ICB has to fit in there... */
+               if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) {
+                       make_bad_inode(inode);
+                       return;
+               }
+       }
+
        switch (fe->icbTag.fileType) {
        case ICBTAG_FILE_TYPE_DIRECTORY:
                inode->i_op = &udf_dir_inode_operations;
@@ -1918,14 +1975,29 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos,
                epos->offset += adsize;
 }
 
+/*
+ * Only 1 indirect extent in a row really makes sense but allow upto 16 in case
+ * someone does some weird stuff.
+ */
+#define UDF_MAX_INDIR_EXTS 16
+
 int8_t udf_next_aext(struct inode *inode, struct extent_position *epos,
                     struct kernel_lb_addr *eloc, uint32_t *elen, int inc)
 {
        int8_t etype;
+       unsigned int indirections = 0;
 
        while ((etype = udf_current_aext(inode, epos, eloc, elen, inc)) ==
               (EXT_NEXT_EXTENT_ALLOCDECS >> 30)) {
                int block;
+
+               if (++indirections > UDF_MAX_INDIR_EXTS) {
+                       udf_err(inode->i_sb,
+                               "too many indirect extents in inode %lu\n",
+                               inode->i_ino);
+                       return -1;
+               }
+
                epos->block = *eloc;
                epos->offset = sizeof(struct allocExtDesc);
                brelse(epos->bh);