From: Jan Kara jack@suse.cz
mainline inclusion from mainline-v5.17-rc2 commit ea8569194b43f0f01f0a84c689388542c7254a1f category: bugfix bugzilla: 186269 CVE: CVE-2022-0617
--------------------------------
When we fail to expand inode from inline format to a normal format, we restore inode to contain the original inline formatting but we forgot to set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then causing further problems such as warnings and lost data down the line.
Reported-by: butt3rflyh4ck butterflyhuangxx@gmail.com CC: stable@vger.kernel.org Fixes: 7e49b6f2480c ("udf: Convert UDF to new truncate calling sequence") Reviewed-by: Christoph Hellwig hch@lst.de Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Zhang Wensheng zhangwensheng5@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- fs/udf/inode.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index d1fab052ac759..b34c9cb208ccb 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -306,6 +306,7 @@ int udf_expand_file_adinicb(struct inode *inode) unlock_page(page); iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; inode->i_data.a_ops = &udf_adinicb_aops; + iinfo->i_lenAlloc = inode->i_size; up_write(&iinfo->i_data_sem); } put_page(page);