From b13de2218752f2a9fe159ba2576b7c44a3fdef54 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 4 Feb 2014 11:50:29 -0800 Subject: [PATCH] 3.13-stable patches added patches: btrfs-handle-eagain-case-properly-in-btrfs_drop_snapshot.patch btrfs-restrict-snapshotting-to-own-subvolumes.patch btrfs-setup-inode-location-during-btrfs_init_inode_locked.patch --- ...case-properly-in-btrfs_drop_snapshot.patch | 32 +++++++ ...trict-snapshotting-to-own-subvolumes.patch | 49 +++++++++++ ...ation-during-btrfs_init_inode_locked.patch | 87 +++++++++++++++++++ queue-3.13/series | 3 + 4 files changed, 171 insertions(+) create mode 100644 queue-3.13/btrfs-handle-eagain-case-properly-in-btrfs_drop_snapshot.patch create mode 100644 queue-3.13/btrfs-restrict-snapshotting-to-own-subvolumes.patch create mode 100644 queue-3.13/btrfs-setup-inode-location-during-btrfs_init_inode_locked.patch diff --git a/queue-3.13/btrfs-handle-eagain-case-properly-in-btrfs_drop_snapshot.patch b/queue-3.13/btrfs-handle-eagain-case-properly-in-btrfs_drop_snapshot.patch new file mode 100644 index 00000000000..967f2a75cbd --- /dev/null +++ b/queue-3.13/btrfs-handle-eagain-case-properly-in-btrfs_drop_snapshot.patch @@ -0,0 +1,32 @@ +From 90515e7f5d7d24cbb2a4038a3f1b5cfa2921aa17 Mon Sep 17 00:00:00 2001 +From: Wang Shilong +Date: Tue, 7 Jan 2014 17:26:58 +0800 +Subject: Btrfs: handle EAGAIN case properly in btrfs_drop_snapshot() + +From: Wang Shilong + +commit 90515e7f5d7d24cbb2a4038a3f1b5cfa2921aa17 upstream. + +We may return early in btrfs_drop_snapshot(), we shouldn't +call btrfs_std_err() for this case, fix it. + +Signed-off-by: Wang Shilong +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -7779,7 +7779,7 @@ out: + */ + if (!for_reloc && root_dropped == false) + btrfs_add_dead_root(root); +- if (err) ++ if (err && err != -EAGAIN) + btrfs_std_error(root->fs_info, err); + return err; + } diff --git a/queue-3.13/btrfs-restrict-snapshotting-to-own-subvolumes.patch b/queue-3.13/btrfs-restrict-snapshotting-to-own-subvolumes.patch new file mode 100644 index 00000000000..b476f6e1c0c --- /dev/null +++ b/queue-3.13/btrfs-restrict-snapshotting-to-own-subvolumes.patch @@ -0,0 +1,49 @@ +From d024206133ce21936b3d5780359afc00247655b7 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Wed, 15 Jan 2014 18:15:52 +0100 +Subject: btrfs: restrict snapshotting to own subvolumes + +From: David Sterba + +commit d024206133ce21936b3d5780359afc00247655b7 upstream. + +Currently, any user can snapshot any subvolume if the path is accessible and +thus indirectly create and keep files he does not own under his direcotries. +This is not possible with traditional directories. + +In security context, a user can snapshot root filesystem and pin any +potentially buggy binaries, even if the updates are applied. + +All the snapshots are visible to the administrator, so it's possible to +verify if there are suspicious snapshots. + +Another more practical problem is that any user can pin the space used +by eg. root and cause ENOSPC. + +Original report: +https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786 + +Signed-off-by: David Sterba +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -1545,6 +1545,12 @@ static noinline int btrfs_ioctl_snap_cre + printk(KERN_INFO "btrfs: Snapshot src from " + "another FS\n"); + ret = -EINVAL; ++ } else if (!inode_owner_or_capable(src_inode)) { ++ /* ++ * Subvolume creation is not restricted, but snapshots ++ * are limited to own subvolumes only ++ */ ++ ret = -EPERM; + } else { + ret = btrfs_mksubvol(&file->f_path, name, namelen, + BTRFS_I(src_inode)->root, diff --git a/queue-3.13/btrfs-setup-inode-location-during-btrfs_init_inode_locked.patch b/queue-3.13/btrfs-setup-inode-location-during-btrfs_init_inode_locked.patch new file mode 100644 index 00000000000..43ba19af7e5 --- /dev/null +++ b/queue-3.13/btrfs-setup-inode-location-during-btrfs_init_inode_locked.patch @@ -0,0 +1,87 @@ +From 90d3e592e99b8e374ead2b45148abf506493a959 Mon Sep 17 00:00:00 2001 +From: Chris Mason +Date: Thu, 9 Jan 2014 17:28:00 -0800 +Subject: Btrfs: setup inode location during btrfs_init_inode_locked + +From: Chris Mason + +commit 90d3e592e99b8e374ead2b45148abf506493a959 upstream. + +We have a race during inode init because the BTRFS_I(inode)->location is setup +after the inode hash table lock is dropped. btrfs_find_actor uses the location +field, so our search might not find an existing inode in the hash table if we +race with the inode init code. + +This commit changes things to setup the location field sooner. Also the find actor now +uses only the location objectid to match inodes. For inode hashing, we just +need a unique and stable test, it doesn't have to reflect the inode numbers we +show to userland. + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -60,7 +60,7 @@ + #include "hash.h" + + struct btrfs_iget_args { +- u64 ino; ++ struct btrfs_key *location; + struct btrfs_root *root; + }; + +@@ -4818,7 +4818,9 @@ again: + static int btrfs_init_locked_inode(struct inode *inode, void *p) + { + struct btrfs_iget_args *args = p; +- inode->i_ino = args->ino; ++ inode->i_ino = args->location->objectid; ++ memcpy(&BTRFS_I(inode)->location, args->location, ++ sizeof(*args->location)); + BTRFS_I(inode)->root = args->root; + return 0; + } +@@ -4826,19 +4828,19 @@ static int btrfs_init_locked_inode(struc + static int btrfs_find_actor(struct inode *inode, void *opaque) + { + struct btrfs_iget_args *args = opaque; +- return args->ino == btrfs_ino(inode) && ++ return args->location->objectid == BTRFS_I(inode)->location.objectid && + args->root == BTRFS_I(inode)->root; + } + + static struct inode *btrfs_iget_locked(struct super_block *s, +- u64 objectid, ++ struct btrfs_key *location, + struct btrfs_root *root) + { + struct inode *inode; + struct btrfs_iget_args args; +- unsigned long hashval = btrfs_inode_hash(objectid, root); ++ unsigned long hashval = btrfs_inode_hash(location->objectid, root); + +- args.ino = objectid; ++ args.location = location; + args.root = root; + + inode = iget5_locked(s, hashval, btrfs_find_actor, +@@ -4855,13 +4857,11 @@ struct inode *btrfs_iget(struct super_bl + { + struct inode *inode; + +- inode = btrfs_iget_locked(s, location->objectid, root); ++ inode = btrfs_iget_locked(s, location, root); + if (!inode) + return ERR_PTR(-ENOMEM); + + if (inode->i_state & I_NEW) { +- BTRFS_I(inode)->root = root; +- memcpy(&BTRFS_I(inode)->location, location, sizeof(*location)); + btrfs_read_locked_inode(inode); + if (!is_bad_inode(inode)) { + inode_tree_add(inode); diff --git a/queue-3.13/series b/queue-3.13/series index 94d25930d7f..8337feb0d73 100644 --- a/queue-3.13/series +++ b/queue-3.13/series @@ -133,3 +133,6 @@ scsi-qla4xxx-overflow-in-qla4xxx_set_chap_entry.patch virtio-scsi-fix-hotcpu_notifier-use-after-free-with-virtscsi_freeze.patch iscsi-target-pre-allocate-more-tags-to-avoid-ack-starvation.patch target-iscsi-fix-network-portal-creation-race.patch +btrfs-handle-eagain-case-properly-in-btrfs_drop_snapshot.patch +btrfs-setup-inode-location-during-btrfs_init_inode_locked.patch +btrfs-restrict-snapshotting-to-own-subvolumes.patch -- 2.47.2