From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 10 Mar 2018 00:13:34 +0000 (-0800)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.99~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8fc914c728edf92d815d79395bc3985a546ee466;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch
---

diff --git a/queue-4.9/btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch b/queue-4.9/btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch
new file mode 100644
index 00000000000..066ad1cb997
--- /dev/null
+++ b/queue-4.9/btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch
@@ -0,0 +1,56 @@
+From d7d824966530acfe32b94d1ed672e6fe1638cd68 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?=
+ <ernesto.mnd.fernandez@gmail.com>
+Date: Wed, 2 Aug 2017 03:18:27 -0300
+Subject: btrfs: preserve i_mode if __btrfs_set_acl() fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+
+commit d7d824966530acfe32b94d1ed672e6fe1638cd68 upstream.
+
+When changing a file's acl mask, btrfs_set_acl() will first set the
+group bits of i_mode to the value of the mask, and only then set the
+actual extended attribute representing the new acl.
+
+If the second part fails (due to lack of space, for example) and the
+file had no acl attribute to begin with, the system will from now on
+assume that the mask permission bits are actual group permission bits,
+potentially granting access to the wrong users.
+
+Prevent this by restoring the original mode bits if __btrfs_set_acl
+fails.
+
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/acl.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/acl.c
++++ b/fs/btrfs/acl.c
+@@ -114,13 +114,17 @@ out:
+ int btrfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
+ {
+ 	int ret;
++	umode_t old_mode = inode->i_mode;
+ 
+ 	if (type == ACL_TYPE_ACCESS && acl) {
+ 		ret = posix_acl_update_mode(inode, &inode->i_mode, &acl);
+ 		if (ret)
+ 			return ret;
+ 	}
+-	return __btrfs_set_acl(NULL, inode, acl, type);
++	ret = __btrfs_set_acl(NULL, inode, acl, type);
++	if (ret)
++		inode->i_mode = old_mode;
++	return ret;
+ }
+ 
+ /*
diff --git a/queue-4.9/series b/queue-4.9/series
index 60ab5c6bc1a..ff11551f587 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -62,3 +62,4 @@ bpf-x64-implement-retpoline-for-tail-call.patch
 bpf-arm64-fix-out-of-bounds-access-in-tail-call.patch
 bpf-add-schedule-points-in-percpu-arrays-management.patch
 bpf-ppc64-fix-out-of-bounds-access-in-tail-call.patch
+btrfs-preserve-i_mode-if-__btrfs_set_acl-fails.patch