xfs: Propagate dentry down to inode_change_ok()

[ upstream commit 69bca80744eef58fa155e8042996b968fec17b26 ]

To avoid clearing of capabilities or security related extended
attributes too early, inode_change_ok() will need to take dentry instead
of inode. Propagate dentry down to functions calling inode_change_ok().
This is rather straightforward except for xfs_set_mode() function which
does not have dentry easily available. Luckily that function does not
call inode_change_ok() anyway so we just have to do a little dance with
function prototypes.

References: CVE-2015-1350
Acked-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Conflicts: Missing file_dentry() from d101a125954eae1d397adda94ca6319485a50493
Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>

diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 3b7591224f4a6698d32371a927e70cb2a391f4a9..550f8c4733ee0fd56e01e8a782e6e2faeebc6126 100644 (file)
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -973,7 +973,7 @@ xfs_file_fallocate(
 
                iattr.ia_valid = ATTR_SIZE;
                iattr.ia_size = new_size;
-               error = xfs_setattr_size(ip, &iattr);
+               error = xfs_vn_setattr_size(file->f_path.dentry, &iattr);
                if (error)
                        goto out_unlock;
        }

diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
index c29f34253e2b92317f63674bc15dfc0ece335220..6b67d617c09274afe73a75ff1c1f32331fbd2948 100644 (file)
--- a/fs/xfs/xfs_inode.c
+++ b/fs/xfs/xfs_inode.c
@@ -1766,7 +1766,7 @@ xfs_inactive_truncate(
        /*
         * Log the inode size first to prevent stale data exposure in the event
         * of a system crash before the truncate completes. See the related
-        * comment in xfs_setattr_size() for details.
+        * comment in xfs_vn_setattr_size() for details.
         */
        ip->i_d.di_size = 0;
        xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 87f67c6b654cb5c9899c5c566d238f5a9ea1f04a..82e49109d0b618b4a15ee64fee1c06325107f694 100644 (file)
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -720,7 +720,7 @@ xfs_ioc_space(
                iattr.ia_valid = ATTR_SIZE;
                iattr.ia_size = bf->l_start;
 
-               error = xfs_setattr_size(ip, &iattr);
+               error = xfs_vn_setattr_size(filp->f_path.dentry, &iattr);
                break;
        default:
                ASSERT(0);

diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
index f4cd7204e23667724c01a4c4b8efe8c1d48b1cb3..274b8b99edfa162743f607857170d9ca832c9418 100644 (file)
--- a/fs/xfs/xfs_iops.c
+++ b/fs/xfs/xfs_iops.c
@@ -537,6 +537,30 @@ xfs_setattr_time(
        }
 }
 
+static int
+xfs_vn_change_ok(
+       struct dentry   *dentry,
+       struct iattr    *iattr)
+{
+       struct inode            *inode = d_inode(dentry);
+       struct xfs_inode        *ip = XFS_I(inode);
+       struct xfs_mount        *mp = ip->i_mount;
+
+       if (mp->m_flags & XFS_MOUNT_RDONLY)
+               return -EROFS;
+
+       if (XFS_FORCED_SHUTDOWN(mp))
+               return -EIO;
+
+       return inode_change_ok(inode, iattr);
+}
+
+/*
+ * Set non-size attributes of an inode.
+ *
+ * Caution: The caller of this function is responsible for calling
+ * inode_change_ok() or otherwise verifying the change is fine.
+ */
 int
 xfs_setattr_nonsize(
        struct xfs_inode        *ip,
@@ -553,21 +577,6 @@ xfs_setattr_nonsize(
        struct xfs_dquot        *udqp = NULL, *gdqp = NULL;
        struct xfs_dquot        *olddquot1 = NULL, *olddquot2 = NULL;
 
-       trace_xfs_setattr(ip);
-
-       /* If acls are being inherited, we already have this checked */
-       if (!(flags & XFS_ATTR_NOACL)) {
-               if (mp->m_flags & XFS_MOUNT_RDONLY)
-                       return -EROFS;
-
-               if (XFS_FORCED_SHUTDOWN(mp))
-                       return -EIO;
-
-               error = inode_change_ok(inode, iattr);
-               if (error)
-                       return error;
-       }
-
        ASSERT((mask & ATTR_SIZE) == 0);
 
        /*
@@ -741,8 +750,27 @@ out_dqrele:
        return error;
 }
 
+int
+xfs_vn_setattr_nonsize(
+       struct dentry           *dentry,
+       struct iattr            *iattr)
+{
+       struct xfs_inode        *ip = XFS_I(d_inode(dentry));
+       int error;
+
+       trace_xfs_setattr(ip);
+
+       error = xfs_vn_change_ok(dentry, iattr);
+       if (error)
+               return error;
+       return xfs_setattr_nonsize(ip, iattr, 0);
+}
+
 /*
  * Truncate file.  Must have write permission and not be a directory.
+ *
+ * Caution: The caller of this function is responsible for calling
+ * inode_change_ok() or otherwise verifying the change is fine.
  */
 int
 xfs_setattr_size(
@@ -758,18 +786,6 @@ xfs_setattr_size(
        uint                    commit_flags = 0;
        bool                    did_zeroing = false;
 
-       trace_xfs_setattr(ip);
-
-       if (mp->m_flags & XFS_MOUNT_RDONLY)
-               return -EROFS;
-
-       if (XFS_FORCED_SHUTDOWN(mp))
-               return -EIO;
-
-       error = inode_change_ok(inode, iattr);
-       if (error)
-               return error;
-
        ASSERT(xfs_isilocked(ip, XFS_IOLOCK_EXCL));
        ASSERT(xfs_isilocked(ip, XFS_MMAPLOCK_EXCL));
        ASSERT(S_ISREG(ip->i_d.di_mode));
@@ -941,16 +957,32 @@ out_trans_cancel:
        goto out_unlock;
 }
 
+int
+xfs_vn_setattr_size(
+       struct dentry           *dentry,
+       struct iattr            *iattr)
+{
+       struct xfs_inode        *ip = XFS_I(d_inode(dentry));
+       int error;
+
+       trace_xfs_setattr(ip);
+
+       error = xfs_vn_change_ok(dentry, iattr);
+       if (error)
+               return error;
+       return xfs_setattr_size(ip, iattr);
+}
+
 STATIC int
 xfs_vn_setattr(
        struct dentry           *dentry,
        struct iattr            *iattr)
 {
-       struct xfs_inode        *ip = XFS_I(d_inode(dentry));
        int                     error;
 
        if (iattr->ia_valid & ATTR_SIZE) {
-               uint            iolock = XFS_IOLOCK_EXCL;
+               struct xfs_inode        *ip = XFS_I(d_inode(dentry));
+               uint                    iolock = XFS_IOLOCK_EXCL;
 
                xfs_ilock(ip, iolock);
                error = xfs_break_layouts(d_inode(dentry), &iolock, true);
@@ -958,11 +990,11 @@ xfs_vn_setattr(
                        xfs_ilock(ip, XFS_MMAPLOCK_EXCL);
                        iolock |= XFS_MMAPLOCK_EXCL;
 
-                       error = xfs_setattr_size(ip, iattr);
+                       error = xfs_vn_setattr_size(dentry, iattr);
                }
                xfs_iunlock(ip, iolock);
        } else {
-               error = xfs_setattr_nonsize(ip, iattr, 0);
+               error = xfs_vn_setattr_nonsize(dentry, iattr);
        }
 
        return error;

diff --git a/fs/xfs/xfs_iops.h b/fs/xfs/xfs_iops.h
index a0f84abb0d09d34e0893e6c61b6e01c287a9946a..0259a383721a5eadf6aea62c36780b2c7a107ee4 100644 (file)
--- a/fs/xfs/xfs_iops.h
+++ b/fs/xfs/xfs_iops.h
@@ -33,6 +33,7 @@ extern ssize_t xfs_vn_listxattr(struct dentry *, char *data, size_t size);
 extern void xfs_setattr_time(struct xfs_inode *ip, struct iattr *iattr);
 extern int xfs_setattr_nonsize(struct xfs_inode *ip, struct iattr *vap,
                               int flags);
-extern int xfs_setattr_size(struct xfs_inode *ip, struct iattr *vap);
+extern int xfs_vn_setattr_nonsize(struct dentry *dentry, struct iattr *vap);
+extern int xfs_vn_setattr_size(struct dentry *dentry, struct iattr *vap);
 
 #endif /* __XFS_IOPS_H__ */