ovl: Optimize override/revert creds

Use override_creds_light() in ovl_override_creds() and
revert_creds_light() in ovl_revert_creds().

The _light() functions do not change the 'usage' of the credentials in
question, as they refer to the credentials associated with the
mounter, which have a longer lifetime.

In ovl_setup_cred_for_create(), do not need to modify the mounter
credentials (returned by override_creds_light()) 'usage' counter.
Add a warning to verify that we are indeed working with the mounter
credentials (stored in the superblock). Failure in this assumption
means that creds may leak.

Suggested-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>

diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 4b0bb7a91d37688a1559f8ae31ec2ac659a1ea92..5cf529482a8a36538d5ffb5a6eb4523ec9f2d1b4 100644 (file)
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -573,7 +573,15 @@ static const struct cred *ovl_setup_cred_for_create(struct dentry *dentry,
                put_cred(override_cred);
                return ERR_PTR(err);
        }
-       put_cred(override_creds(override_cred));
+
+       /*
+        * Caller is going to match this with revert_creds_light() and drop
+        * referenec on the returned creds.
+        * We must be called with creator creds already, otherwise we risk
+        * leaking creds.
+        */
+       old_cred = override_creds_light(override_cred);
+       WARN_ON_ONCE(old_cred != ovl_creds(dentry->d_sb));
 
        return override_cred;
 }

diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 9408046f4f417f87b61f2a01975b5f2255d96334..3bb107471fb42c9589b3eee44ff33059a7dcd2a0 100644 (file)
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -65,12 +65,12 @@ const struct cred *ovl_override_creds(struct super_block *sb)
 {
        struct ovl_fs *ofs = OVL_FS(sb);
 
-       return override_creds(ofs->creator_cred);
+       return override_creds_light(ofs->creator_cred);
 }
 
 void ovl_revert_creds(const struct cred *old_cred)
 {
-       revert_creds(old_cred);
+       revert_creds_light(old_cred);
 }
 
 /*