From: David Howells <dhowells@redhat.com>
Date: Tue, 23 Aug 2022 14:07:55 +0100
Subject: [PATCH] smb3: fix temporary data corruption in insert range
Git-commit: 9c8b7a293f50253e694f19161c045817a938e551
References: bsc#1190317 CVE-2022-48667 bsc#1223518
Patch-mainline: v6.0-rc4

insert range doesn't discard the affected cached region
so can risk temporarily corrupting file data.

Also includes some minor cleanup (avoiding rereading
inode size repeatedly unnecessarily) to make it clearer.

Cc: stable@vger.kernel.org
Fixes: 7fe6fe95b936 ("cifs: add FALLOC_FL_INSERT_RANGE support")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 fs/cifs/smb2ops.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -3751,17 +3751,21 @@ static long smb3_insert_range(struct fil
 	unsigned int xid;
 	struct cifsFileInfo *cfile = file->private_data;
 	__le64 eof;
-	__u64  count;
+	__u64  count, old_eof;
 
 	xid = get_xid();
 
-	if (off >= i_size_read(file->f_inode)) {
+	inode_lock(file->f_inode);
+
+	old_eof = i_size_read(file->f_inode);
+
+	if (off >= old_eof) {
 		rc = -EINVAL;
 		goto out;
 	}
 
-	count = i_size_read(file->f_inode) - off;
-	eof = cpu_to_le64(i_size_read(file->f_inode) + len);
+	count = old_eof - off;
+	eof = cpu_to_le64(old_eof + len);
 
 	rc = SMB2_set_eof(xid, tcon, cfile->fid.persistent_fid,
 			  cfile->fid.volatile_fid, cfile->pid, &eof);
@@ -3778,6 +3782,7 @@ static long smb3_insert_range(struct fil
 
 	rc = 0;
  out:
+	inode_unlock(file->f_inode);
 	free_xid(xid);
 	return rc;
 }