From ba54aef0313322d9eea0fca648170d5a3c906de4 Mon Sep 17 00:00:00 2001 From: "Steven J. Magnani" Date: Thu, 11 Jul 2019 08:38:51 -0500 Subject: udf: refactor VRS descriptor identification Extract code that parses a Volume Recognition Sequence descriptor (component), in preparation for calling it twice against different locations in a block. Signed-off-by: Steven J. Magnani Link: https://lore.kernel.org/r/20190711133852.16887-1-steve@digidescorp.com Signed-off-by: Jan Kara --- fs/udf/super.c | 128 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/fs/udf/super.c b/fs/udf/super.c index a14346137361..14a91955507b 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -646,16 +646,67 @@ out_unlock: return error; } -/* Check Volume Structure Descriptors (ECMA 167 2/9.1) */ -/* We also check any "CD-ROM Volume Descriptor Set" (ECMA 167 2/8.3.1) */ -static loff_t udf_check_vsd(struct super_block *sb) +/* + * Check VSD descriptor. Returns -1 in case we are at the end of volume + * recognition area, 0 if the descriptor is valid but non-interesting, 1 if + * we found one of NSR descriptors we are looking for. + */ +static int identify_vsd(const struct volStructDesc *vsd) +{ + int ret = 0; + + if (!memcmp(vsd->stdIdent, VSD_STD_ID_CD001, VSD_STD_ID_LEN)) { + switch (vsd->structType) { + case 0: + udf_debug("ISO9660 Boot Record found\n"); + break; + case 1: + udf_debug("ISO9660 Primary Volume Descriptor found\n"); + break; + case 2: + udf_debug("ISO9660 Supplementary Volume Descriptor found\n"); + break; + case 3: + udf_debug("ISO9660 Volume Partition Descriptor found\n"); + break; + case 255: + udf_debug("ISO9660 Volume Descriptor Set Terminator found\n"); + break; + default: + udf_debug("ISO9660 VRS (%u) found\n", vsd->structType); + break; + } + } else if (!memcmp(vsd->stdIdent, VSD_STD_ID_BEA01, VSD_STD_ID_LEN)) + ; /* ret = 0 */ + else if (!memcmp(vsd->stdIdent, VSD_STD_ID_NSR02, VSD_STD_ID_LEN)) + ret = 1; + else if (!memcmp(vsd->stdIdent, VSD_STD_ID_NSR03, VSD_STD_ID_LEN)) + ret = 1; + else if (!memcmp(vsd->stdIdent, VSD_STD_ID_BOOT2, VSD_STD_ID_LEN)) + ; /* ret = 0 */ + else if (!memcmp(vsd->stdIdent, VSD_STD_ID_CDW02, VSD_STD_ID_LEN)) + ; /* ret = 0 */ + else { + /* TEA01 or invalid id : end of volume recognition area */ + ret = -1; + } + + return ret; +} + +/* + * Check Volume Structure Descriptors (ECMA 167 2/9.1) + * We also check any "CD-ROM Volume Descriptor Set" (ECMA 167 2/8.3.1) + * @return 1 if NSR02 or NSR03 found, + * -1 if first sector read error, 0 otherwise + */ +static int udf_check_vsd(struct super_block *sb) { struct volStructDesc *vsd = NULL; loff_t sector = VSD_FIRST_SECTOR_OFFSET; int sectorsize; struct buffer_head *bh = NULL; - int nsr02 = 0; - int nsr03 = 0; + int nsr = 0; struct udf_sb_info *sbi; sbi = UDF_SB(sb); @@ -679,71 +730,20 @@ static loff_t udf_check_vsd(struct super_block *sb) * activity. This actually happened with uninitialised SSD partitions * (all 0xFF) before the check for the limit and all valid IDs were * added */ - for (; !nsr02 && !nsr03 && sector < VSD_MAX_SECTOR_OFFSET; - sector += sectorsize) { + for (; !nsr && sector < VSD_MAX_SECTOR_OFFSET; sector += sectorsize) { /* Read a block */ bh = udf_tread(sb, sector >> sb->s_blocksize_bits); if (!bh) break; - /* Look for ISO descriptors */ vsd = (struct volStructDesc *)(bh->b_data + (sector & (sb->s_blocksize - 1))); - - if (!strncmp(vsd->stdIdent, VSD_STD_ID_CD001, - VSD_STD_ID_LEN)) { - switch (vsd->structType) { - case 0: - udf_debug("ISO9660 Boot Record found\n"); - break; - case 1: - udf_debug("ISO9660 Primary Volume Descriptor found\n"); - break; - case 2: - udf_debug("ISO9660 Supplementary Volume Descriptor found\n"); - break; - case 3: - udf_debug("ISO9660 Volume Partition Descriptor found\n"); - break; - case 255: - udf_debug("ISO9660 Volume Descriptor Set Terminator found\n"); - break; - default: - udf_debug("ISO9660 VRS (%u) found\n", - vsd->structType); - break; - } - } else if (!strncmp(vsd->stdIdent, VSD_STD_ID_BEA01, - VSD_STD_ID_LEN)) - ; /* nothing */ - else if (!strncmp(vsd->stdIdent, VSD_STD_ID_TEA01, - VSD_STD_ID_LEN)) { - brelse(bh); - break; - } else if (!strncmp(vsd->stdIdent, VSD_STD_ID_NSR02, - VSD_STD_ID_LEN)) - nsr02 = sector; - else if (!strncmp(vsd->stdIdent, VSD_STD_ID_NSR03, - VSD_STD_ID_LEN)) - nsr03 = sector; - else if (!strncmp(vsd->stdIdent, VSD_STD_ID_BOOT2, - VSD_STD_ID_LEN)) - ; /* nothing */ - else if (!strncmp(vsd->stdIdent, VSD_STD_ID_CDW02, - VSD_STD_ID_LEN)) - ; /* nothing */ - else { - /* invalid id : end of volume recognition area */ - brelse(bh); - break; - } + nsr = identify_vsd(vsd); brelse(bh); } - if (nsr03) - return nsr03; - else if (nsr02) - return nsr02; + if (nsr > 0) + return 1; else if (!bh && sector - (sbi->s_session << sb->s_blocksize_bits) == VSD_FIRST_SECTOR_OFFSET) return -1; @@ -1915,7 +1915,7 @@ static int udf_load_vrs(struct super_block *sb, struct udf_options *uopt, int silent, struct kernel_lb_addr *fileset) { struct udf_sb_info *sbi = UDF_SB(sb); - loff_t nsr_off; + int nsr = 0; int ret; if (!sb_set_blocksize(sb, uopt->blocksize)) { @@ -1926,13 +1926,13 @@ static int udf_load_vrs(struct super_block *sb, struct udf_options *uopt, sbi->s_last_block = uopt->lastblock; if (!uopt->novrs) { /* Check that it is NSR02 compliant */ - nsr_off = udf_check_vsd(sb); - if (!nsr_off) { + nsr = udf_check_vsd(sb); + if (!nsr) { if (!silent) udf_warn(sb, "No VRS found\n"); return -EINVAL; } - if (nsr_off == -1) + if (nsr == -1) udf_debug("Failed to read sector at offset %d. " "Assuming open disc. Skipping validity " "check\n", VSD_FIRST_SECTOR_OFFSET); -- cgit v1.2.3-58-ga151 From 6fbacb8539a6659d446a9efabb538cfc007c1427 Mon Sep 17 00:00:00 2001 From: "Steven J. Magnani" Date: Thu, 11 Jul 2019 08:38:52 -0500 Subject: udf: support 2048-byte spacing of VRS descriptors on 4K media Some UDF creators (specifically Microsoft, but perhaps others) mishandle the ECMA-167 corner case that requires descriptors within a Volume Recognition Sequence to be placed at 4096-byte intervals on media where the block size is 4K. Instead, the descriptors are placed at the 2048- byte interval mandated for media with smaller blocks. This nonconformity currently prevents Linux from recognizing the filesystem as UDF. Modify the driver to tolerate a misformatted VRS on 4K media. [JK: Simplified descriptor checking] Signed-off-by: Steven J. Magnani Tested-by: Steven J. Magnani Link: https://lore.kernel.org/r/20190711133852.16887-2-steve@digidescorp.com Signed-off-by: Jan Kara --- fs/udf/super.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/fs/udf/super.c b/fs/udf/super.c index 14a91955507b..f34e06b4d8fa 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -739,6 +739,22 @@ static int udf_check_vsd(struct super_block *sb) vsd = (struct volStructDesc *)(bh->b_data + (sector & (sb->s_blocksize - 1))); nsr = identify_vsd(vsd); + /* Found NSR or end? */ + if (nsr) { + brelse(bh); + break; + } + /* + * Special handling for improperly formatted VRS (e.g., Win10) + * where components are separated by 2048 bytes even though + * sectors are 4K + */ + if (sb->s_blocksize == 4096) { + nsr = identify_vsd(vsd + 1); + /* Ignore unknown IDs... */ + if (nsr < 0) + nsr = 0; + } brelse(bh); } -- cgit v1.2.3-58-ga151 From e5d395974e043cdcedcd84a0d41aaebb723786d8 Mon Sep 17 00:00:00 2001 From: Chengguang Xu Date: Tue, 23 Jul 2019 19:21:54 +0800 Subject: ext2: fix block range in ext2_data_block_valid() For block validity we should check the block range from start_block to start_block + count - 1, so fix the range in ext2_data_block_valid() and also modify the count argument properly in calling place. Signed-off-by: Chengguang Xu Link: https://lore.kernel.org/r/20190723112155.20329-1-cgxu519@zoho.com.cn Signed-off-by: Jan Kara --- fs/ext2/balloc.c | 6 +++--- fs/ext2/xattr.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c index 547c165299c0..92e9a7489174 100644 --- a/fs/ext2/balloc.c +++ b/fs/ext2/balloc.c @@ -1203,13 +1203,13 @@ int ext2_data_block_valid(struct ext2_sb_info *sbi, ext2_fsblk_t start_blk, unsigned int count) { if ((start_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) || - (start_blk + count < start_blk) || - (start_blk > le32_to_cpu(sbi->s_es->s_blocks_count))) + (start_blk + count - 1 < start_blk) || + (start_blk + count - 1 >= le32_to_cpu(sbi->s_es->s_blocks_count))) return 0; /* Ensure we do not step over superblock */ if ((start_blk <= sbi->s_sb_block) && - (start_blk + count >= sbi->s_sb_block)) + (start_blk + count - 1 >= sbi->s_sb_block)) return 0; return 1; diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c index 79369c13cc55..0456bc990b5e 100644 --- a/fs/ext2/xattr.c +++ b/fs/ext2/xattr.c @@ -794,7 +794,7 @@ ext2_xattr_delete_inode(struct inode *inode) if (!EXT2_I(inode)->i_file_acl) goto cleanup; - if (!ext2_data_block_valid(sbi, EXT2_I(inode)->i_file_acl, 0)) { + if (!ext2_data_block_valid(sbi, EXT2_I(inode)->i_file_acl, 1)) { ext2_error(inode->i_sb, "ext2_xattr_delete_inode", "inode %ld: xattr block %d is out of data blocks range", inode->i_ino, EXT2_I(inode)->i_file_acl); -- cgit v1.2.3-58-ga151 From b6aeffc5852f39db6e6e56da5327d0c43ac3c30a Mon Sep 17 00:00:00 2001 From: Chengguang Xu Date: Tue, 23 Jul 2019 19:21:55 +0800 Subject: ext2: code cleanup for ext2_free_blocks() Call ext2_data_block_valid() for block range validity. Signed-off-by: Chengguang Xu Link: https://lore.kernel.org/r/20190723112155.20329-2-cgxu519@zoho.com.cn Signed-off-by: Jan Kara --- fs/ext2/balloc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c index 92e9a7489174..e0cc55164505 100644 --- a/fs/ext2/balloc.c +++ b/fs/ext2/balloc.c @@ -490,9 +490,7 @@ void ext2_free_blocks (struct inode * inode, unsigned long block, struct ext2_super_block * es = sbi->s_es; unsigned freed = 0, group_freed; - if (block < le32_to_cpu(es->s_first_data_block) || - block + count < block || - block + count > le32_to_cpu(es->s_blocks_count)) { + if (!ext2_data_block_valid(sbi, block, count)) { ext2_error (sb, "ext2_free_blocks", "Freeing blocks not in datazone - " "block = %lu, count = %lu", block, count); -- cgit v1.2.3-58-ga151 From 4b8e1106dd95d4d7f2781258d3871b445f3928ce Mon Sep 17 00:00:00 2001 From: Chengguang Xu Date: Wed, 24 Jul 2019 13:32:16 +0800 Subject: quota: fix condition for resetting time limit in do_set_dqblk() We reset time limit when current usage is smaller or equal to soft limit in other place, so follow this rule in do_set_dqblk(). Signed-off-by: Chengguang Xu Link: https://lore.kernel.org/r/20190724053216.19392-1-cgxu519@zoho.com.cn Signed-off-by: Jan Kara --- fs/quota/dquot.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c index be9c471cdbc8..6e826b454082 100644 --- a/fs/quota/dquot.c +++ b/fs/quota/dquot.c @@ -2731,7 +2731,7 @@ static int do_set_dqblk(struct dquot *dquot, struct qc_dqblk *di) if (check_blim) { if (!dm->dqb_bsoftlimit || - dm->dqb_curspace + dm->dqb_rsvspace < dm->dqb_bsoftlimit) { + dm->dqb_curspace + dm->dqb_rsvspace <= dm->dqb_bsoftlimit) { dm->dqb_btime = 0; clear_bit(DQ_BLKS_B, &dquot->dq_flags); } else if (!(di->d_fieldmask & QC_SPC_TIMER)) @@ -2740,7 +2740,7 @@ static int do_set_dqblk(struct dquot *dquot, struct qc_dqblk *di) } if (check_ilim) { if (!dm->dqb_isoftlimit || - dm->dqb_curinodes < dm->dqb_isoftlimit) { + dm->dqb_curinodes <= dm->dqb_isoftlimit) { dm->dqb_itime = 0; clear_bit(DQ_INODES_B, &dquot->dq_flags); } else if (!(di->d_fieldmask & QC_INO_TIMER)) -- cgit v1.2.3-58-ga151 From 56db1991690f076c2a7e3b2a226629cd10901690 Mon Sep 17 00:00:00 2001 From: Steve Magnani Date: Sun, 28 Jul 2019 14:19:12 -0500 Subject: udf: prevent allocation beyond UDF partition The UDF bitmap allocation code assumes that a recorded Unallocated Space Bitmap is compliant with ECMA-167 4/13, which requires that pad bytes between the end of the bitmap and the end of a logical block are all zero. When a recorded bitmap does not comply with this requirement, for example one padded with FF to the block boundary instead of 00, the allocator may "allocate" blocks that are outside the UDF partition extent. This can result in UDF volume descriptors being overwritten by file data or by partition-level descriptors, and in extreme cases, even in scribbling on a subsequent disk partition. Add a check that the block selected by the allocator actually resides within the UDF partition extent. Signed-off-by: Steven J. Magnani Link: https://lore.kernel.org/r/1564341552-129750-1-git-send-email-steve@digidescorp.com Signed-off-by: Jan Kara --- fs/udf/balloc.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c index ec85aeaed54a..02f03fadb75b 100644 --- a/fs/udf/balloc.c +++ b/fs/udf/balloc.c @@ -325,6 +325,17 @@ got_block: newblock = bit + (block_group << (sb->s_blocksize_bits + 3)) - (sizeof(struct spaceBitmapDesc) << 3); + if (newblock >= sbi->s_partmaps[partition].s_partition_len) { + /* + * Ran off the end of the bitmap, and bits following are + * non-compliant (not all zero) + */ + udf_err(sb, "bitmap for partition %d corrupted (block %u marked" + " as free, partition length is %u)\n", partition, + newblock, sbi->s_partmaps[partition].s_partition_len); + goto error_return; + } + if (!udf_clear_bit(bit, bh->b_data)) { udf_debug("bit already cleared for block %d\n", bit); goto repeat; -- cgit v1.2.3-58-ga151 From ab9a3a737284b3d9e1d2ba43a0ef31b3ef2e2417 Mon Sep 17 00:00:00 2001 From: "Steven J. Magnani" Date: Wed, 14 Aug 2019 07:50:02 -0500 Subject: udf: reduce leakage of blocks related to named streams Windows is capable of creating UDF files having named streams. One example is the "Zone.Identifier" stream attached automatically to files downloaded from a network. See: https://msdn.microsoft.com/en-us/library/dn392609.aspx Modification of a file having one or more named streams in Linux causes the stream directory to become detached from the file, essentially leaking all blocks pertaining to the file's streams. Fix by saving off information about an inode's streams when reading it, for later use when its on-disk data is updated. Link: https://lore.kernel.org/r/20190814125002.10869-1-steve@digidescorp.com Signed-off-by: Steven J. Magnani Signed-off-by: Jan Kara --- fs/udf/inode.c | 24 +++++++++++++++++++++++- fs/udf/super.c | 2 ++ fs/udf/udf_i.h | 5 ++++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 9bb18311a22f..54eee39f2698 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1485,6 +1485,8 @@ reread: iinfo->i_lenEAttr = le32_to_cpu(fe->lengthExtendedAttr); iinfo->i_lenAlloc = le32_to_cpu(fe->lengthAllocDescs); iinfo->i_checkpoint = le32_to_cpu(fe->checkpoint); + iinfo->i_streamdir = 0; + iinfo->i_lenStreams = 0; } else { inode->i_blocks = le64_to_cpu(efe->logicalBlocksRecorded) << (inode->i_sb->s_blocksize_bits - 9); @@ -1498,6 +1500,16 @@ reread: iinfo->i_lenEAttr = le32_to_cpu(efe->lengthExtendedAttr); iinfo->i_lenAlloc = le32_to_cpu(efe->lengthAllocDescs); iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); + + /* Named streams */ + iinfo->i_streamdir = (efe->streamDirectoryICB.extLength != 0); + iinfo->i_locStreamdir = + lelb_to_cpu(efe->streamDirectoryICB.extLocation); + iinfo->i_lenStreams = le64_to_cpu(efe->objectSize); + if (iinfo->i_lenStreams >= inode->i_size) + iinfo->i_lenStreams -= inode->i_size; + else + iinfo->i_lenStreams = 0; } inode->i_generation = iinfo->i_unique; @@ -1760,9 +1772,19 @@ static int udf_update_inode(struct inode *inode, int do_sync) iinfo->i_ext.i_data, inode->i_sb->s_blocksize - sizeof(struct extendedFileEntry)); - efe->objectSize = cpu_to_le64(inode->i_size); + efe->objectSize = + cpu_to_le64(inode->i_size + iinfo->i_lenStreams); efe->logicalBlocksRecorded = cpu_to_le64(lb_recorded); + if (iinfo->i_streamdir) { + struct long_ad *icb_lad = &efe->streamDirectoryICB; + + icb_lad->extLocation = + cpu_to_lelb(iinfo->i_locStreamdir); + icb_lad->extLength = + cpu_to_le32(inode->i_sb->s_blocksize); + } + udf_adjust_time(iinfo, inode->i_atime); udf_adjust_time(iinfo, inode->i_mtime); udf_adjust_time(iinfo, inode->i_ctime); diff --git a/fs/udf/super.c b/fs/udf/super.c index f34e06b4d8fa..00e2d7190b52 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -151,9 +151,11 @@ static struct inode *udf_alloc_inode(struct super_block *sb) ei->i_unique = 0; ei->i_lenExtents = 0; + ei->i_lenStreams = 0; ei->i_next_alloc_block = 0; ei->i_next_alloc_goal = 0; ei->i_strat4096 = 0; + ei->i_streamdir = 0; init_rwsem(&ei->i_data_sem); ei->cached_extent.lstart = -1; spin_lock_init(&ei->i_extent_cache_lock); diff --git a/fs/udf/udf_i.h b/fs/udf/udf_i.h index 2ef0e212f08a..00d773d1b7cf 100644 --- a/fs/udf/udf_i.h +++ b/fs/udf/udf_i.h @@ -42,12 +42,15 @@ struct udf_inode_info { unsigned i_efe : 1; /* extendedFileEntry */ unsigned i_use : 1; /* unallocSpaceEntry */ unsigned i_strat4096 : 1; - unsigned reserved : 26; + unsigned i_streamdir : 1; + unsigned reserved : 25; union { struct short_ad *i_sad; struct long_ad *i_lad; __u8 *i_data; } i_ext; + struct kernel_lb_addr i_locStreamdir; + __u64 i_lenStreams; struct rw_semaphore i_data_sem; struct udf_ext_cache cached_extent; /* Spinlock for protecting extent cache */ -- cgit v1.2.3-58-ga151 From 8cbd9af9d208b1f015cf8a4645602f0a007270a8 Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Mon, 26 Aug 2019 11:36:19 +0200 Subject: udf: Use dynamic debug infrastructure Instead of relying on UDFFS_DEBUG define for debug printing, just use standard pr_debug() prints and rely on CONFIG_DYNAMIC_DEBUG infrastructure for enabling or disabling prints. Signed-off-by: Jan Kara --- fs/udf/super.c | 7 ------- fs/udf/udfdecl.h | 10 +--------- 2 files changed, 1 insertion(+), 16 deletions(-) diff --git a/fs/udf/super.c b/fs/udf/super.c index 00e2d7190b52..56da1e1680ea 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -812,9 +812,7 @@ static int udf_load_pvoldesc(struct super_block *sb, sector_t block) struct buffer_head *bh; uint16_t ident; int ret = -ENOMEM; -#ifdef UDFFS_DEBUG struct timestamp *ts; -#endif outstr = kmalloc(128, GFP_NOFS); if (!outstr) @@ -835,13 +833,10 @@ static int udf_load_pvoldesc(struct super_block *sb, sector_t block) udf_disk_stamp_to_time(&UDF_SB(sb)->s_record_time, pvoldesc->recordingDateAndTime); -#ifdef UDFFS_DEBUG ts = &pvoldesc->recordingDateAndTime; udf_debug("recording time %04u/%02u/%02u %02u:%02u (%x)\n", le16_to_cpu(ts->year), ts->month, ts->day, ts->hour, ts->minute, le16_to_cpu(ts->typeAndTimezone)); -#endif - ret = udf_dstrCS0toChar(sb, outstr, 31, pvoldesc->volIdent, 32); if (ret < 0) { @@ -1256,9 +1251,7 @@ static int udf_load_partdesc(struct super_block *sb, sector_t block) * PHYSICAL partitions are already set up */ type1_idx = i; -#ifdef UDFFS_DEBUG map = NULL; /* supress 'maybe used uninitialized' warning */ -#endif for (i = 0; i < sbi->s_partitions; i++) { map = &sbi->s_partmaps[i]; diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h index d89ef71887fc..65e243ebeb9c 100644 --- a/fs/udf/udfdecl.h +++ b/fs/udf/udfdecl.h @@ -31,16 +31,8 @@ extern __printf(3, 4) void _udf_warn(struct super_block *sb, #define udf_info(fmt, ...) \ pr_info("INFO " fmt, ##__VA_ARGS__) -#undef UDFFS_DEBUG - -#ifdef UDFFS_DEBUG -#define udf_debug(fmt, ...) \ - printk(KERN_DEBUG pr_fmt("%s:%d:%s: " fmt), \ - __FILE__, __LINE__, __func__, ##__VA_ARGS__) -#else #define udf_debug(fmt, ...) \ - no_printk(fmt, ##__VA_ARGS__) -#endif + pr_debug("%s:%d:%s: " fmt, __FILE__, __LINE__, __func__, ##__VA_ARGS__) #define udf_fixed_to_variable(x) ( ( ( (x) >> 5 ) * 39 ) + ( (x) & 0x0000001F ) ) #define udf_variable_to_fixed(x) ( ( ( (x) / 39 ) << 5 ) + ( (x) % 39 ) ) -- cgit v1.2.3-58-ga151 From c3367a1b47d590f97109cd4b5189e750fb26c0f1 Mon Sep 17 00:00:00 2001 From: "Steven J. Magnani" Date: Tue, 27 Aug 2019 07:13:59 -0500 Subject: udf: augment UDF permissions on new inodes Windows presents files created within Linux as read-only, even when permissions in Linux indicate the file should be writable. UDF defines a slightly different set of basic file permissions than Linux. Specifically, UDF has "delete" and "change attribute" permissions for each access class (user/group/other). Linux has no equivalents for these. When the Linux UDF driver creates a file (or directory), no UDF delete or change attribute permissions are granted. The lack of delete permission appears to cause Windows to mark an item read-only when its permissions otherwise indicate that it should be read-write. Fix this by having UDF delete permissions track Linux write permissions. Also grant UDF change attribute permission to the owner when creating a new inode. Reported by: Ty Young Signed-off-by: Steven J. Magnani Link: https://lore.kernel.org/r/20190827121359.9954-1-steve@digidescorp.com Signed-off-by: Jan Kara --- fs/udf/file.c | 3 +++ fs/udf/ialloc.c | 3 +++ fs/udf/inode.c | 31 +++++++++++++++++++++++++++---- fs/udf/udf_i.h | 1 + fs/udf/udfdecl.h | 1 + 5 files changed, 35 insertions(+), 4 deletions(-) diff --git a/fs/udf/file.c b/fs/udf/file.c index cd31e4f6d6da..628941a6b79a 100644 --- a/fs/udf/file.c +++ b/fs/udf/file.c @@ -280,6 +280,9 @@ static int udf_setattr(struct dentry *dentry, struct iattr *attr) return error; } + if (attr->ia_valid & ATTR_MODE) + udf_update_extra_perms(inode, attr->ia_mode); + setattr_copy(inode, attr); mark_inode_dirty(inode); return 0; diff --git a/fs/udf/ialloc.c b/fs/udf/ialloc.c index f8e5872f7cc2..0adb40718a5d 100644 --- a/fs/udf/ialloc.c +++ b/fs/udf/ialloc.c @@ -118,6 +118,9 @@ struct inode *udf_new_inode(struct inode *dir, umode_t mode) iinfo->i_lenAlloc = 0; iinfo->i_use = 0; iinfo->i_checkpoint = 1; + iinfo->i_extraPerms = FE_PERM_U_CHATTR; + udf_update_extra_perms(inode, mode); + if (UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_USE_AD_IN_ICB)) iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; else if (UDF_QUERY_FLAG(inode->i_sb, UDF_FLAG_USE_SHORT_AD)) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 54eee39f2698..ea80036d7897 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -45,6 +45,13 @@ #define EXTENT_MERGE_SIZE 5 +#define FE_MAPPED_PERMS (FE_PERM_U_READ | FE_PERM_U_WRITE | FE_PERM_U_EXEC | \ + FE_PERM_G_READ | FE_PERM_G_WRITE | FE_PERM_G_EXEC | \ + FE_PERM_O_READ | FE_PERM_O_WRITE | FE_PERM_O_EXEC) + +#define FE_DELETE_PERMS (FE_PERM_U_DELETE | FE_PERM_G_DELETE | \ + FE_PERM_O_DELETE) + static umode_t udf_convert_permissions(struct fileEntry *); static int udf_update_inode(struct inode *, int); static int udf_sync_inode(struct inode *inode); @@ -1458,6 +1465,8 @@ reread: else inode->i_mode = udf_convert_permissions(fe); inode->i_mode &= ~sbi->s_umask; + iinfo->i_extraPerms = le32_to_cpu(fe->permissions) & ~FE_MAPPED_PERMS; + read_unlock(&sbi->s_cred_lock); link_count = le16_to_cpu(fe->fileLinkCount); @@ -1631,6 +1640,23 @@ static umode_t udf_convert_permissions(struct fileEntry *fe) return mode; } +void udf_update_extra_perms(struct inode *inode, umode_t mode) +{ + struct udf_inode_info *iinfo = UDF_I(inode); + + /* + * UDF 2.01 sec. 3.3.3.3 Note 2: + * In Unix, delete permission tracks write + */ + iinfo->i_extraPerms &= ~FE_DELETE_PERMS; + if (mode & 0200) + iinfo->i_extraPerms |= FE_PERM_U_DELETE; + if (mode & 0020) + iinfo->i_extraPerms |= FE_PERM_G_DELETE; + if (mode & 0002) + iinfo->i_extraPerms |= FE_PERM_O_DELETE; +} + int udf_write_inode(struct inode *inode, struct writeback_control *wbc) { return udf_update_inode(inode, wbc->sync_mode == WB_SYNC_ALL); @@ -1703,10 +1729,7 @@ static int udf_update_inode(struct inode *inode, int do_sync) ((inode->i_mode & 0070) << 2) | ((inode->i_mode & 0700) << 4); - udfperms |= (le32_to_cpu(fe->permissions) & - (FE_PERM_O_DELETE | FE_PERM_O_CHATTR | - FE_PERM_G_DELETE | FE_PERM_G_CHATTR | - FE_PERM_U_DELETE | FE_PERM_U_CHATTR)); + udfperms |= iinfo->i_extraPerms; fe->permissions = cpu_to_le32(udfperms); if (S_ISDIR(inode->i_mode) && inode->i_nlink > 0) diff --git a/fs/udf/udf_i.h b/fs/udf/udf_i.h index 00d773d1b7cf..4245d1f63258 100644 --- a/fs/udf/udf_i.h +++ b/fs/udf/udf_i.h @@ -38,6 +38,7 @@ struct udf_inode_info { __u32 i_next_alloc_block; __u32 i_next_alloc_goal; __u32 i_checkpoint; + __u32 i_extraPerms; unsigned i_alloc_type : 3; unsigned i_efe : 1; /* extendedFileEntry */ unsigned i_use : 1; /* unallocSpaceEntry */ diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h index 65e243ebeb9c..9dd0814f1077 100644 --- a/fs/udf/udfdecl.h +++ b/fs/udf/udfdecl.h @@ -170,6 +170,7 @@ extern int8_t udf_next_aext(struct inode *, struct extent_position *, struct kernel_lb_addr *, uint32_t *, int); extern int8_t udf_current_aext(struct inode *, struct extent_position *, struct kernel_lb_addr *, uint32_t *, int); +extern void udf_update_extra_perms(struct inode *inode, umode_t mode); /* misc.c */ extern struct buffer_head *udf_tgetblk(struct super_block *sb, -- cgit v1.2.3-58-ga151 From 2dee5aac05565933c5bf6ad4acd4f9bcd6ea2ff7 Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Thu, 29 Aug 2019 14:11:54 +0200 Subject: udf: Verify domain identifier fields OSTA UDF standard defines that domain identifier in logical volume descriptor and file set descriptor should contain a particular string and the identifier suffix contains flags possibly making media write-protected. Verify these constraints and allow only read-only mount if they are not met. Tested-by: Steven J. Magnani Reviewed-by: Steven J. Magnani Signed-off-by: Jan Kara --- fs/udf/ecma_167.h | 14 +++++++++ fs/udf/super.c | 91 ++++++++++++++++++++++++++++++++++++++----------------- 2 files changed, 78 insertions(+), 27 deletions(-) diff --git a/fs/udf/ecma_167.h b/fs/udf/ecma_167.h index 9f24bd1a9f44..fb7f2c7bec9c 100644 --- a/fs/udf/ecma_167.h +++ b/fs/udf/ecma_167.h @@ -88,6 +88,20 @@ struct regid { #define ENTITYID_FLAGS_DIRTY 0x00 #define ENTITYID_FLAGS_PROTECTED 0x01 +/* OSTA UDF 2.1.5.2 */ +#define UDF_ID_COMPLIANT "*OSTA UDF Compliant" + +/* OSTA UDF 2.1.5.3 */ +struct domainEntityIDSuffix { + uint16_t revision; + uint8_t flags; + uint8_t reserved[5]; +}; + +/* OSTA UDF 2.1.5.3 */ +#define ENTITYIDSUFFIX_FLAGS_HARDWRITEPROTECT 0 +#define ENTITYIDSUFFIX_FLAGS_SOFTWRITEPROTECT 1 + /* Volume Structure Descriptor (ECMA 167r3 2/9.1) */ #define VSD_STD_ID_LEN 5 struct volStructDesc { diff --git a/fs/udf/super.c b/fs/udf/super.c index 56da1e1680ea..9e72a9e98ab3 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -94,8 +94,8 @@ static int udf_remount_fs(struct super_block *, int *, char *); static void udf_load_logicalvolint(struct super_block *, struct kernel_extent_ad); static int udf_find_fileset(struct super_block *, struct kernel_lb_addr *, struct kernel_lb_addr *); -static void udf_load_fileset(struct super_block *, struct buffer_head *, - struct kernel_lb_addr *); +static int udf_load_fileset(struct super_block *, struct fileSetDesc *, + struct kernel_lb_addr *); static void udf_open_lvid(struct super_block *); static void udf_close_lvid(struct super_block *); static unsigned int udf_count_free(struct super_block *); @@ -775,28 +775,27 @@ static int udf_find_fileset(struct super_block *sb, { struct buffer_head *bh = NULL; uint16_t ident; + int ret; - if (fileset->logicalBlockNum != 0xFFFFFFFF || - fileset->partitionReferenceNum != 0xFFFF) { - bh = udf_read_ptagged(sb, fileset, 0, &ident); - - if (!bh) { - return 1; - } else if (ident != TAG_IDENT_FSD) { - brelse(bh); - return 1; - } - - udf_debug("Fileset at block=%u, partition=%u\n", - fileset->logicalBlockNum, - fileset->partitionReferenceNum); + if (fileset->logicalBlockNum == 0xFFFFFFFF && + fileset->partitionReferenceNum == 0xFFFF) + return -EINVAL; - UDF_SB(sb)->s_partition = fileset->partitionReferenceNum; - udf_load_fileset(sb, bh, root); + bh = udf_read_ptagged(sb, fileset, 0, &ident); + if (!bh) + return -EIO; + if (ident != TAG_IDENT_FSD) { brelse(bh); - return 0; + return -EINVAL; } - return 1; + + udf_debug("Fileset at block=%u, partition=%u\n", + fileset->logicalBlockNum, fileset->partitionReferenceNum); + + UDF_SB(sb)->s_partition = fileset->partitionReferenceNum; + ret = udf_load_fileset(sb, (struct fileSetDesc *)bh->b_data, root); + brelse(bh); + return ret; } /* @@ -952,19 +951,53 @@ static int udf_load_metadata_files(struct super_block *sb, int partition, return 0; } -static void udf_load_fileset(struct super_block *sb, struct buffer_head *bh, - struct kernel_lb_addr *root) +static int udf_verify_domain_identifier(struct super_block *sb, + struct regid *ident, char *dname) { - struct fileSetDesc *fset; + struct domainEntityIDSuffix *suffix; - fset = (struct fileSetDesc *)bh->b_data; + if (memcmp(ident->ident, UDF_ID_COMPLIANT, strlen(UDF_ID_COMPLIANT))) { + udf_warn(sb, "Not OSTA UDF compliant %s descriptor.\n", dname); + goto force_ro; + } + if (ident->flags & (1 << ENTITYID_FLAGS_DIRTY)) { + udf_warn(sb, "Possibly not OSTA UDF compliant %s descriptor.\n", + dname); + goto force_ro; + } + suffix = (struct domainEntityIDSuffix *)ident->identSuffix; + if (suffix->flags & (1 << ENTITYIDSUFFIX_FLAGS_HARDWRITEPROTECT) || + suffix->flags & (1 << ENTITYIDSUFFIX_FLAGS_SOFTWRITEPROTECT)) { + if (!sb_rdonly(sb)) { + udf_warn(sb, "Descriptor for %s marked write protected." + " Forcing read only mount.\n", dname); + } + goto force_ro; + } + return 0; - *root = lelb_to_cpu(fset->rootDirectoryICB.extLocation); +force_ro: + if (!sb_rdonly(sb)) + return -EACCES; + UDF_SET_FLAG(sb, UDF_FLAG_RW_INCOMPAT); + return 0; +} +static int udf_load_fileset(struct super_block *sb, struct fileSetDesc *fset, + struct kernel_lb_addr *root) +{ + int ret; + + ret = udf_verify_domain_identifier(sb, &fset->domainIdent, "file set"); + if (ret < 0) + return ret; + + *root = lelb_to_cpu(fset->rootDirectoryICB.extLocation); UDF_SB(sb)->s_serial_number = le16_to_cpu(fset->descTag.tagSerialNum); udf_debug("Rootdir at block=%u, partition=%u\n", root->logicalBlockNum, root->partitionReferenceNum); + return 0; } int udf_compute_nr_groups(struct super_block *sb, u32 partition) @@ -1375,6 +1408,10 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, goto out_bh; } + ret = udf_verify_domain_identifier(sb, &lvd->domainIdent, + "logical volume"); + if (ret) + goto out_bh; ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); if (ret) goto out_bh; @@ -2227,9 +2264,9 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent) UDF_SET_FLAG(sb, UDF_FLAG_RW_INCOMPAT); } - if (udf_find_fileset(sb, &fileset, &rootdir)) { + ret = udf_find_fileset(sb, &fileset, &rootdir); + if (ret < 0) { udf_warn(sb, "No fileset found\n"); - ret = -EINVAL; goto error_out; } -- cgit v1.2.3-58-ga151 From 8b47ea6c21cbf169c4c41ad6de1ac12fba5ddd8e Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Thu, 29 Aug 2019 14:19:30 +0200 Subject: udf: Drop forward function declarations Move some functions to make forward declarations unnecessary. Signed-off-by: Jan Kara --- fs/udf/super.c | 102 +++++++++++++++++++++++++++------------------------------ 1 file changed, 49 insertions(+), 53 deletions(-) diff --git a/fs/udf/super.c b/fs/udf/super.c index 9e72a9e98ab3..7ab29124961c 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -92,10 +92,6 @@ static void udf_put_super(struct super_block *); static int udf_sync_fs(struct super_block *, int); static int udf_remount_fs(struct super_block *, int *, char *); static void udf_load_logicalvolint(struct super_block *, struct kernel_extent_ad); -static int udf_find_fileset(struct super_block *, struct kernel_lb_addr *, - struct kernel_lb_addr *); -static int udf_load_fileset(struct super_block *, struct fileSetDesc *, - struct kernel_lb_addr *); static void udf_open_lvid(struct super_block *); static void udf_close_lvid(struct super_block *); static unsigned int udf_count_free(struct super_block *); @@ -769,6 +765,55 @@ static int udf_check_vsd(struct super_block *sb) return 0; } +static int udf_verify_domain_identifier(struct super_block *sb, + struct regid *ident, char *dname) +{ + struct domainEntityIDSuffix *suffix; + + if (memcmp(ident->ident, UDF_ID_COMPLIANT, strlen(UDF_ID_COMPLIANT))) { + udf_warn(sb, "Not OSTA UDF compliant %s descriptor.\n", dname); + goto force_ro; + } + if (ident->flags & (1 << ENTITYID_FLAGS_DIRTY)) { + udf_warn(sb, "Possibly not OSTA UDF compliant %s descriptor.\n", + dname); + goto force_ro; + } + suffix = (struct domainEntityIDSuffix *)ident->identSuffix; + if (suffix->flags & (1 << ENTITYIDSUFFIX_FLAGS_HARDWRITEPROTECT) || + suffix->flags & (1 << ENTITYIDSUFFIX_FLAGS_SOFTWRITEPROTECT)) { + if (!sb_rdonly(sb)) { + udf_warn(sb, "Descriptor for %s marked write protected." + " Forcing read only mount.\n", dname); + } + goto force_ro; + } + return 0; + +force_ro: + if (!sb_rdonly(sb)) + return -EACCES; + UDF_SET_FLAG(sb, UDF_FLAG_RW_INCOMPAT); + return 0; +} + +static int udf_load_fileset(struct super_block *sb, struct fileSetDesc *fset, + struct kernel_lb_addr *root) +{ + int ret; + + ret = udf_verify_domain_identifier(sb, &fset->domainIdent, "file set"); + if (ret < 0) + return ret; + + *root = lelb_to_cpu(fset->rootDirectoryICB.extLocation); + UDF_SB(sb)->s_serial_number = le16_to_cpu(fset->descTag.tagSerialNum); + + udf_debug("Rootdir at block=%u, partition=%u\n", + root->logicalBlockNum, root->partitionReferenceNum); + return 0; +} + static int udf_find_fileset(struct super_block *sb, struct kernel_lb_addr *fileset, struct kernel_lb_addr *root) @@ -951,55 +996,6 @@ static int udf_load_metadata_files(struct super_block *sb, int partition, return 0; } -static int udf_verify_domain_identifier(struct super_block *sb, - struct regid *ident, char *dname) -{ - struct domainEntityIDSuffix *suffix; - - if (memcmp(ident->ident, UDF_ID_COMPLIANT, strlen(UDF_ID_COMPLIANT))) { - udf_warn(sb, "Not OSTA UDF compliant %s descriptor.\n", dname); - goto force_ro; - } - if (ident->flags & (1 << ENTITYID_FLAGS_DIRTY)) { - udf_warn(sb, "Possibly not OSTA UDF compliant %s descriptor.\n", - dname); - goto force_ro; - } - suffix = (struct domainEntityIDSuffix *)ident->identSuffix; - if (suffix->flags & (1 << ENTITYIDSUFFIX_FLAGS_HARDWRITEPROTECT) || - suffix->flags & (1 << ENTITYIDSUFFIX_FLAGS_SOFTWRITEPROTECT)) { - if (!sb_rdonly(sb)) { - udf_warn(sb, "Descriptor for %s marked write protected." - " Forcing read only mount.\n", dname); - } - goto force_ro; - } - return 0; - -force_ro: - if (!sb_rdonly(sb)) - return -EACCES; - UDF_SET_FLAG(sb, UDF_FLAG_RW_INCOMPAT); - return 0; -} - -static int udf_load_fileset(struct super_block *sb, struct fileSetDesc *fset, - struct kernel_lb_addr *root) -{ - int ret; - - ret = udf_verify_domain_identifier(sb, &fset->domainIdent, "file set"); - if (ret < 0) - return ret; - - *root = lelb_to_cpu(fset->rootDirectoryICB.extLocation); - UDF_SB(sb)->s_serial_number = le16_to_cpu(fset->descTag.tagSerialNum); - - udf_debug("Rootdir at block=%u, partition=%u\n", - root->logicalBlockNum, root->partitionReferenceNum); - return 0; -} - int udf_compute_nr_groups(struct super_block *sb, u32 partition) { struct udf_part_map *map = &UDF_SB(sb)->s_partmaps[partition]; -- cgit v1.2.3-58-ga151 From 18c2433cb8af4938bee01a766a2389f80e73d4ae Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Tue, 3 Sep 2019 14:40:18 +0200 Subject: ext2: Delete an unnecessary check before brelse() The brelse() function tests whether its argument is NULL and then returns immediately. Thus the test around the call is not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Link: https://lore.kernel.org/r/51dea296-2207-ebc0-bac3-13f3e5c3b235@web.de Signed-off-by: Jan Kara --- fs/ext2/super.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/ext2/super.c b/fs/ext2/super.c index 44eb6e7eb492..f4d5c624c4dc 100644 --- a/fs/ext2/super.c +++ b/fs/ext2/super.c @@ -162,8 +162,7 @@ static void ext2_put_super (struct super_block * sb) } db_count = sbi->s_gdb_count; for (i = 0; i < db_count; i++) - if (sbi->s_group_desc[i]) - brelse (sbi->s_group_desc[i]); + brelse(sbi->s_group_desc[i]); kfree(sbi->s_group_desc); kfree(sbi->s_debts); percpu_counter_destroy(&sbi->s_freeblocks_counter); -- cgit v1.2.3-58-ga151 From 4eb09e1112180672795f4238e9252531f607c7a7 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Tue, 3 Sep 2019 21:12:09 +0200 Subject: fs-udf: Delete an unnecessary check before brelse() The brelse() function tests whether its argument is NULL and then returns immediately. Thus the test around the call is not needed. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Link: https://lore.kernel.org/r/a254c1d1-0109-ab51-c67a-edc5c1c4b4cd@web.de Signed-off-by: Jan Kara --- fs/udf/super.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/udf/super.c b/fs/udf/super.c index 7ab29124961c..8c28e93e9b73 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -269,8 +269,7 @@ static void udf_sb_free_bitmap(struct udf_bitmap *bitmap) int nr_groups = bitmap->s_nr_groups; for (i = 0; i < nr_groups; i++) - if (bitmap->s_block_bitmap[i]) - brelse(bitmap->s_block_bitmap[i]); + brelse(bitmap->s_block_bitmap[i]); kvfree(bitmap); } -- cgit v1.2.3-58-ga151 From 6565c182094f69e4ffdece337d395eb7ec760efc Mon Sep 17 00:00:00 2001 From: Chao Yu Date: Wed, 11 Sep 2019 17:36:50 +0800 Subject: quota: fix wrong condition in is_quota_modification() Quoted from commit 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize") " At LSF we decided that if we truncate up from isize we shouldn't trim fallocated blocks that were fallocated with KEEP_SIZE and are past the new i_size. This patch fixes ext4 to do this. " And generic/092 of fstest have covered this case for long time, however is_quota_modification() didn't adjust based on that rule, so that in below condition, we will lose to quota block change: - fallocate blocks beyond EOF - remount - truncate(file_path, file_size) Fix it. Link: https://lore.kernel.org/r/20190911093650.35329-1-yuchao0@huawei.com Fixes: 3da40c7b0898 ("ext4: only call ext4_truncate when size <= isize") CC: stable@vger.kernel.org Signed-off-by: Chao Yu Signed-off-by: Jan Kara --- include/linux/quotaops.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/quotaops.h b/include/linux/quotaops.h index dc905a4ff8d7..185d94829701 100644 --- a/include/linux/quotaops.h +++ b/include/linux/quotaops.h @@ -22,7 +22,7 @@ static inline struct quota_info *sb_dqopt(struct super_block *sb) /* i_mutex must being held */ static inline bool is_quota_modification(struct inode *inode, struct iattr *ia) { - return (ia->ia_valid & ATTR_SIZE && ia->ia_size != inode->i_size) || + return (ia->ia_valid & ATTR_SIZE) || (ia->ia_valid & ATTR_UID && !uid_eq(ia->ia_uid, inode->i_uid)) || (ia->ia_valid & ATTR_GID && !gid_eq(ia->ia_gid, inode->i_gid)); } -- cgit v1.2.3-58-ga151