From patchwork Mon Jun 29 18:31:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mauricio Faria de Oliveira X-Patchwork-Id: 1318974 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49wbfm19t4z9sSd; Tue, 30 Jun 2020 04:31:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jpyYu-00074N-3B; Mon, 29 Jun 2020 18:31:24 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jpyYp-00073L-7Y for kernel-team@lists.ubuntu.com; Mon, 29 Jun 2020 18:31:19 +0000 Received: from mail-qk1-f197.google.com ([209.85.222.197]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jpyYo-0008MW-SG for kernel-team@lists.ubuntu.com; Mon, 29 Jun 2020 18:31:18 +0000 Received: by mail-qk1-f197.google.com with SMTP id m67so11657646qkb.17 for ; Mon, 29 Jun 2020 11:31:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ci9kwKZRa6Hh9k6Q1ftxF0+7jVTj6MAnSmMNBup2z4c=; b=jlUZJ8+ml+f2MJ5ZKJFRmXQeqf5HGhhOU1XvgsQg1qpX4Q7/4UVl9aP5sTnmdp3QWG ZEvvs0gU+hdEkaxqTd4Yc5O2wxBVmld/3TE2DPPDt6XrwCICVLgqoldRl8JRiuXG6IZ6 mJpODuaSfwGXE9c0mVGPBzRM8LpZQbFwC8TQU4/vbRTvZAXt6FY44TMrdYOB4AY+t8na HiNQeIFGnV5FkL3moc4F4aAEJqi6qiuOAYqRDK8LW9abgJ8YdTVYSBPS3zUlsIoEbK9b FFm5Rk34Ix9kCjzbWvR1LBHSYI7+SItlyrkpYi1AUdcXzjSa2dOioiQ+NmM5rBucWWoN bbNg== X-Gm-Message-State: AOAM530fXtW/QiPY7NfpQSBrSkTopA83PA8gdhqrAVhigD2MRl1D2SGK 730bywouAJoFTj2a33b2VjGJlVLnkXsT2o9z9genh5Sx34bTuf208xB62XOF2sNu8lmtJuwvl7P pUf5dodWDERVGmywBRad7sYY0wABlnNJU63dHP+P7/w== X-Received: by 2002:a05:620a:4ca:: with SMTP id 10mr16664717qks.250.1593455477798; Mon, 29 Jun 2020 11:31:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw3L0eEgQ8VJhu9orRQNLJ+s0KL76ZiAvYaWlIGekSZRyqMX9hjC7wYQTGuc+YZAtO1QTs1WQ== X-Received: by 2002:a05:620a:4ca:: with SMTP id 10mr16664699qks.250.1593455477587; Mon, 29 Jun 2020 11:31:17 -0700 (PDT) Received: from localhost.localdomain ([201.82.49.101]) by smtp.gmail.com with ESMTPSA id a25sm577477qtk.40.2020.06.29.11.31.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2020 11:31:17 -0700 (PDT) From: Mauricio Faria de Oliveira To: kernel-team@lists.ubuntu.com Subject: [X/B/D/E][PATCH 2/2] aufs: bugfix, IMA i_readcount Date: Mon, 29 Jun 2020 15:31:10 -0300 Message-Id: <20200629183110.1533365-3-mfo@canonical.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200629183110.1533365-1-mfo@canonical.com> References: <20200629183110.1533365-1-mfo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: "J. R. Okajima" By the recent commit 21913077f9918 2020-06-17 aufs: do not call i_readcount_inc() a very old bug was fixed, which is inblance counter. But still aufs needs to call i_readcount_inc() when the branch permission is chaned from RW to RO. Otherwise the counter reaches 0 and BUG() in i_readcount_dec() will be activated. Signed-off-by: J. R. Okajima (cherry picked from commit f10aea57d39d6cd311312e9e7746804f7059b5c8 aufs4-linux.git) CVE-2020-11935 Signed-off-by: Mauricio Faria de Oliveira --- fs/aufs/branch.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/aufs/branch.c b/fs/aufs/branch.c index 17a45c89e2cf..b12a0da6a70e 100644 --- a/fs/aufs/branch.c +++ b/fs/aufs/branch.c @@ -1202,6 +1202,7 @@ static int au_br_mod_files_ro(struct super_block *sb, aufs_bindex_t bindex) unsigned char verbose, writer; struct file *file, *hf, **array; struct au_hfile *hfile; + struct inode *h_inode; mnt_flags = au_mntflags(sb); verbose = !!au_opt_test(mnt_flags, VERBOSE); @@ -1272,7 +1273,10 @@ static int au_br_mod_files_ro(struct super_block *sb, aufs_bindex_t bindex) hf->f_mode &= ~(FMODE_WRITE | FMODE_WRITER); spin_unlock(&hf->f_lock); if (writer) { - put_write_access(file_inode(hf)); + h_inode = file_inode(hf); + if (hf->f_mode & FMODE_READ) + i_readcount_inc(h_inode); + put_write_access(h_inode); __mnt_drop_write(hf->f_path.mnt); } }