Debian 2.6.18 1-13etch3 security patches

svn path=/patches/; revision=46

7 files changed, 746 insertions, 0 deletions

diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README
index 9480e73..e49351c 100644
--- a/trunk/2.6.18/00000_README
+++ b/trunk/2.6.18/00000_README
@@ -161,6 +161,31 @@ Patches
     [SECURITY] Require admin capabilities to issue ioctls to aacraid devices
     See CVE-2007-4308
 
+30031_ptrace-handle-bogus-selector.patch,
+30032_fixup-trace_irq-breakage.patch
+    [SECURITY] Handle an invalid LDT segment selector %cs (the xcs field)
+    during ptrace single-step operations that can be used to trigger a
+    NULL-pointer dereference causing an Oops.
+    See CVE-2007-3731
+
+30033_prevent-stack-growth-into-hugetlb-region.patch
+    [SECURITY] Prevent OOPS during stack expansion when the VMA crosses
+    into address space reserved for hugetlb pages.
+    See CVE-2007-3739
+
+30034_cifs-honor-umask.patch
+    [SECURITY] Make CIFS honor a process' umask
+    See CVE-2007-3740
+
+30035_amd64-zero-extend-32bit-ptrace.patch
+    [SECURITY] Zero extend all registers after ptrace in 32-bit entry path.
+    See CVE-2007-4573
+
+30036_jffs2-ACL-vs-mode-handling.patch
+    [SECURITY] Write correct legacy modes to the medium on inode creation to
+    prevent incorrect permissions upon remount.
+    See CVE-2007-4849
+
 50001_make-install.patch
     Handle make install in a semi-sane way that plays nice with
     split domU/dom0 kernels.
diff --git a/trunk/2.6.18/30031_ptrace-handle-bogus-selector.patch b/trunk/2.6.18/30031_ptrace-handle-bogus-selector.patch
new file mode 100644
index 0000000..2aacd3b
--- /dev/null
+++ b/trunk/2.6.18/30031_ptrace-handle-bogus-selector.patch
@@ -0,0 +1,86 @@
+From: Roland McGrath <roland@redhat.com>
+Date: Mon, 16 Jul 2007 08:03:16 +0000 (-0700)
+Subject: Handle bogus %cs selector in single-step instruction decoding
+X-Git-Tag: v2.6.23-rc1~492
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=29eb51101c02df517ca64ec472d7501127ad1da8
+
+Handle bogus %cs selector in single-step instruction decoding
+
+The code for LDT segment selectors was not robust in the face of a bogus
+selector set in %cs via ptrace before the single-step was done.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c linux-source-2.6.18/arch/i386/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/i386/kernel/ptrace.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/i386/kernel/ptrace.c	2007-09-19 23:45:45.949576125 -0600
+@@ -172,14 +172,22 @@ static unsigned long convert_eip_to_line
+ 		u32 *desc;
+ 		unsigned long base;
+ 
+-		down(&child->mm->context.sem);
+-		desc = child->mm->context.ldt + (seg & ~7);
+-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++		seg &= ~7UL;
+ 
+-		/* 16-bit code segment? */
+-		if (!((desc[1] >> 22) & 1))
+-			addr &= 0xffff;
+-		addr += base;
++		down(&child->mm->context.sem);
++		if (unlikely((seg >> 3) >= child->mm->context.size))
++			addr = -1L; /* bogus selector, access would fault */
++		else {
++			desc = child->mm->context.ldt + seg;
++			base = ((desc[0] >> 16) |
++				((desc[1] & 0xff) << 16) |
++				(desc[1] & 0xff000000));
++
++			/* 16-bit code segment? */
++			if (!((desc[1] >> 22) & 1))
++				addr &= 0xffff;
++			addr += base;
++		}
+ 		up(&child->mm->context.sem);
+ 	}
+ 	return addr;
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c linux-source-2.6.18/arch/x86_64/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c	2007-09-19 23:45:45.953575027 -0600
+@@ -103,16 +103,25 @@ unsigned long convert_rip_to_linear(stru
+ 		u32 *desc;
+ 		unsigned long base;
+ 
+-		down(&child->mm->context.sem);
+-		desc = child->mm->context.ldt + (seg & ~7);
+-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
++		seg &= ~7UL;
+ 
+-		/* 16-bit code segment? */
+-		if (!((desc[1] >> 22) & 1))
+-			addr &= 0xffff;
+-		addr += base;
++		down(&child->mm->context.sem);
++		if (unlikely((seg >> 3) >= child->mm->context.size))
++			addr = -1L; /* bogus selector, access would fault */
++		else {
++			desc = child->mm->context.ldt + seg;
++			base = ((desc[0] >> 16) |
++				((desc[1] & 0xff) << 16) |
++				(desc[1] & 0xff000000));
++
++			/* 16-bit code segment? */
++			if (!((desc[1] >> 22) & 1))
++				addr &= 0xffff;
++			addr += base;
++		}
+ 		up(&child->mm->context.sem);
+ 	}
++
+ 	return addr;
+ }
+ 
diff --git a/trunk/2.6.18/30032_fixup-trace_irq-breakage.patch b/trunk/2.6.18/30032_fixup-trace_irq-breakage.patch
new file mode 100644
index 0000000..383f5d8
--- /dev/null
+++ b/trunk/2.6.18/30032_fixup-trace_irq-breakage.patch
@@ -0,0 +1,64 @@
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Wed, 18 Jul 2007 18:59:22 +0000 (+0200)
+Subject: i386: fixup TRACE_IRQ breakage
+X-Git-Tag: v2.6.23-rc1~491
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=a10d9a71bafd3a283da240d2868e71346d2aef6f
+
+i386: fixup TRACE_IRQ breakage
+
+The TRACE_IRQS_ON function in iret_exc: calls a C function without
+ensuring that the segments are set properly. Move the trace function and
+the enabling of interrupt into the C stub.
+
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/entry.S linux-source-2.6.18/arch/i386/kernel/entry.S
+--- linux-source-2.6.18.orig/arch/i386/kernel/entry.S	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/i386/kernel/entry.S	2007-09-19 23:53:22.929573806 -0600
+@@ -384,8 +384,6 @@ restore_nocheck_notrace:
+ 1:	iret
+ .section .fixup,"ax"
+ iret_exc:
+-	TRACE_IRQS_ON
+-	sti
+ 	pushl $0			# no error code
+ 	pushl $do_iret_error
+ 	jmp error_code
+diff -urpN linux-source-2.6.18.orig/arch/i386/kernel/traps.c linux-source-2.6.18/arch/i386/kernel/traps.c
+--- linux-source-2.6.18.orig/arch/i386/kernel/traps.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/i386/kernel/traps.c	2007-09-19 23:47:18.209575527 -0600
+@@ -516,10 +516,12 @@ fastcall void do_##name(struct pt_regs *
+ 	do_trap(trapnr, signr, str, 0, regs, error_code, NULL); \
+ }
+ 
+-#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr) \
++#define DO_ERROR_INFO(trapnr, signr, str, name, sicode, siaddr, irq) \
+ fastcall void do_##name(struct pt_regs * regs, long error_code) \
+ { \
+ 	siginfo_t info; \
++	if (irq) \
++		local_irq_enable(); \
+ 	info.si_signo = signr; \
+ 	info.si_errno = 0; \
+ 	info.si_code = sicode; \
+@@ -559,13 +561,13 @@ DO_VM86_ERROR( 3, SIGTRAP, "int3", int3)
+ #endif
+ DO_VM86_ERROR( 4, SIGSEGV, "overflow", overflow)
+ DO_VM86_ERROR( 5, SIGSEGV, "bounds", bounds)
+-DO_ERROR_INFO( 6, SIGILL,  "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip)
++DO_ERROR_INFO( 6, SIGILL,  "invalid opcode", invalid_op, ILL_ILLOPN, regs->eip, 0)
+ DO_ERROR( 9, SIGFPE,  "coprocessor segment overrun", coprocessor_segment_overrun)
+ DO_ERROR(10, SIGSEGV, "invalid TSS", invalid_TSS)
+ DO_ERROR(11, SIGBUS,  "segment not present", segment_not_present)
+ DO_ERROR(12, SIGBUS,  "stack segment", stack_segment)
+-DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0)
+-DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0)
++DO_ERROR_INFO(17, SIGBUS, "alignment check", alignment_check, BUS_ADRALN, 0, 0)
++DO_ERROR_INFO(32, SIGSEGV, "iret exception", iret_error, ILL_BADSTK, 0, 1)
+ 
+ fastcall void __kprobes do_general_protection(struct pt_regs * regs,
+ 					      long error_code)
diff --git a/trunk/2.6.18/30033_prevent-stack-growth-into-hugetlb-region.patch b/trunk/2.6.18/30033_prevent-stack-growth-into-hugetlb-region.patch
new file mode 100644
index 0000000..caa7fa7
--- /dev/null
+++ b/trunk/2.6.18/30033_prevent-stack-growth-into-hugetlb-region.patch
@@ -0,0 +1,47 @@
+From: Adam Litke <agl@us.ibm.com>
+Date: Tue, 30 Jan 2007 22:35:39 +0000 (-0800)
+Subject: [PATCH] Don't allow the stack to grow into hugetlb reserved regions
+X-Git-Tag: v2.6.20-rc7~10
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=0d59a01bc461bbab4017ff449b8401151ef44cf6
+
+[PATCH] Don't allow the stack to grow into hugetlb reserved regions
+
+When expanding the stack, we don't currently check if the VMA will cross
+into an area of the address space that is reserved for hugetlb pages.
+Subsequent faults on the expanded portion of such a VMA will confuse the
+low-level MMU code, resulting in an OOPS.  Check for this.
+
+Signed-off-by: Adam Litke <agl@us.ibm.com>
+Cc: David Gibson <david@gibson.dropbear.id.au>
+Cc: William Lee Irwin III <wli@holomorphy.com>
+Cc: Hugh Dickins <hugh@veritas.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/mm/mmap.c b/mm/mmap.c
+index 9717337..cc3a208 100644
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1477,6 +1477,7 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	struct rlimit *rlim = current->signal->rlim;
++	unsigned long new_start;
+ 
+ 	/* address space limit tests */
+ 	if (!may_expand_vm(mm, grow))
+@@ -1496,6 +1497,12 @@ static int acct_stack_growth(struct vm_area_struct * vma, unsigned long size, un
+ 			return -ENOMEM;
+ 	}
+ 
++	/* Check to ensure the stack will not grow into a hugetlb-only region */
++	new_start = (vma->vm_flags & VM_GROWSUP) ? vma->vm_start :
++			vma->vm_end - size;
++	if (is_hugepage_only_range(vma->vm_mm, new_start, size))
++		return -EFAULT;
++
+ 	/*
+ 	 * Overcommit..  This must be the final test, as it will
+ 	 * update security statistics.
diff --git a/trunk/2.6.18/30034_cifs-honor-umask.patch b/trunk/2.6.18/30034_cifs-honor-umask.patch
new file mode 100644
index 0000000..bf45500
--- /dev/null
+++ b/trunk/2.6.18/30034_cifs-honor-umask.patch
@@ -0,0 +1,81 @@
+From: Steve French <sfrench@us.ibm.com>
+Date: Fri, 8 Jun 2007 14:55:14 +0000 (+0000)
+Subject: [CIFS] CIFS should honour umask
+X-Git-Tag: v2.6.22-rc5~50^2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f
+
+[CIFS] CIFS should honour umask
+
+This patch makes CIFS honour a process' umask like other filesystems.
+Of course the server is still free to munge the permissions if it wants
+to; but the client will send the "right" permissions to begin with.
+
+A few caveats:
+
+1) It only applies to filesystems that have CAP_UNIX (aka support unix
+extensions)
+2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms()
+after remote creation
+
+When mode to CIFS/NTFS ACL mapping is complete we can do the
+same thing for that case for servers which do not
+support the Unix Extensions.
+
+Signed-off-by: Matt Keenen <matt@opcode-solutions.com>
+Signed-off-by: Steve French <sfrench@us.ibm.com>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/dir.c linux-source-2.6.18/fs/cifs/dir.c
+--- linux-source-2.6.18.orig/fs/cifs/dir.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/dir.c	2007-09-24 22:49:29.509100350 -0600
+@@ -199,7 +199,8 @@ cifs_create(struct inode *inode, struct 
+ 		/* If Open reported that we actually created a file
+ 		then we now have to set the mode if possible */
+ 		if ((cifs_sb->tcon->ses->capabilities & CAP_UNIX) &&
+-			(oplock & CIFS_CREATE_ACTION))
++			(oplock & CIFS_CREATE_ACTION)) {
++			mode &= ~current->fs->umask;
+ 			if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 				CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode,
+ 					(__u64)current->fsuid,
+@@ -217,7 +218,7 @@ cifs_create(struct inode *inode, struct 
+ 					cifs_sb->mnt_cifs_flags & 
+ 						CIFS_MOUNT_MAP_SPECIAL_CHR);
+ 			}
+-		else {
++		} else {
+ 			/* BB implement mode setting via Windows security descriptors */
+ 			/* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/
+ 			/* could set r/o dos attribute if mode & 0222 == 0 */
+@@ -325,6 +326,7 @@ int cifs_mknod(struct inode *inode, stru
+ 	if(full_path == NULL)
+ 		rc = -ENOMEM;
+ 	else if (pTcon->ses->capabilities & CAP_UNIX) {
++		mode &= ~current->fs->umask;
+ 		if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 			rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path,
+ 				mode,(__u64)current->fsuid,(__u64)current->fsgid,
+diff -urpN linux-source-2.6.18.orig/fs/cifs/inode.c linux-source-2.6.18/fs/cifs/inode.c
+--- linux-source-2.6.18.orig/fs/cifs/inode.c	2007-09-18 16:46:11.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/inode.c	2007-09-24 22:50:34.825099389 -0600
+@@ -751,7 +751,8 @@ int cifs_mkdir(struct inode *inode, stru
+ 		d_instantiate(direntry, newinode);
+ 		if (direntry->d_inode)
+ 			direntry->d_inode->i_nlink = 2;
+-		if (cifs_sb->tcon->ses->capabilities & CAP_UNIX)
++		if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) {
++			mode &= ~current->fs->umask;
+ 			if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
+ 				CIFSSMBUnixSetPerms(xid, pTcon, full_path,
+ 						    mode,
+@@ -769,7 +770,7 @@ int cifs_mkdir(struct inode *inode, stru
+ 						    cifs_sb->mnt_cifs_flags & 
+ 						    CIFS_MOUNT_MAP_SPECIAL_CHR);
+ 			}
+-		else {
++		} else {
+ 			/* BB to be implemented via Windows secrty descriptors
+ 			   eg CIFSSMBWinSetPerms(xid, pTcon, full_path, mode,
+ 						 -1, -1, local_nls); */
diff --git a/trunk/2.6.18/30035_amd64-zero-extend-32bit-ptrace.patch b/trunk/2.6.18/30035_amd64-zero-extend-32bit-ptrace.patch
new file mode 100644
index 0000000..0f2637a
--- /dev/null
+++ b/trunk/2.6.18/30035_amd64-zero-extend-32bit-ptrace.patch
@@ -0,0 +1,88 @@
+From: Andi Kleen <ak@suse.de>
+Date: Fri, 21 Sep 2007 14:16:18 +0000 (+0200)
+Subject: x86_64: Zero extend all registers after ptrace in 32bit entry path.
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=176df2457ef6207156ca1a40991c54ca01fef567
+
+x86_64: Zero extend all registers after ptrace in 32bit entry path.
+
+Strictly it's only needed for eax.
+
+It actually does a little more than strictly needed -- the other registers
+are already zero extended.
+
+Also remove the now unnecessary and non functional compat task check
+in ptrace.
+
+This is CVE-2007-4573
+
+Found by Wojciech Purczynski
+
+Signed-off-by: Andi Kleen <ak@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/ia32/ia32entry.S linux-source-2.6.18/arch/x86_64/ia32/ia32entry.S
+--- linux-source-2.6.18.orig/arch/x86_64/ia32/ia32entry.S	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/ia32/ia32entry.S	2007-09-25 00:10:16.089100799 -0600
+@@ -38,6 +38,18 @@
+ 	movq	%rax,R8(%rsp)
+ 	.endm
+ 
++	.macro LOAD_ARGS32 offset
++	movl \offset(%rsp),%r11d
++	movl \offset+8(%rsp),%r10d
++	movl \offset+16(%rsp),%r9d
++	movl \offset+24(%rsp),%r8d
++	movl \offset+40(%rsp),%ecx
++	movl \offset+48(%rsp),%edx
++	movl \offset+56(%rsp),%esi
++	movl \offset+64(%rsp),%edi
++	movl \offset+72(%rsp),%eax
++	.endm
++	
+ 	.macro CFI_STARTPROC32 simple
+ 	CFI_STARTPROC	\simple
+ 	CFI_UNDEFINED	r8
+@@ -151,7 +163,7 @@ sysenter_tracesys:
+ 	movq	$-ENOSYS,RAX(%rsp)	/* really needed? */
+ 	movq	%rsp,%rdi        /* &pt_regs -> arg1 */
+ 	call	syscall_trace_enter
+-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
++	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+ 	movl	%ebp, %ebp
+ 	/* no need to do an access_ok check here because rbp has been
+@@ -253,7 +265,7 @@ cstar_tracesys:	
+ 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
+ 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
+ 	call syscall_trace_enter
+-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
++	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+ 	movl RSP-ARGOFFSET(%rsp), %r8d
+ 	/* no need to do an access_ok check here because r8 has been
+@@ -330,7 +342,7 @@ ia32_tracesys:			 
+ 	movq $-ENOSYS,RAX(%rsp)	/* really needed? */
+ 	movq %rsp,%rdi        /* &pt_regs -> arg1 */
+ 	call syscall_trace_enter
+-	LOAD_ARGS ARGOFFSET  /* reload args from stack in case ptrace changed it */
++	LOAD_ARGS32 ARGOFFSET  /* reload args from stack in case ptrace changed it */
+ 	RESTORE_REST
+ 	jmp ia32_do_syscall
+ END(ia32_syscall)
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c linux-source-2.6.18/arch/x86_64/kernel/ptrace.c
+--- linux-source-2.6.18.orig/arch/x86_64/kernel/ptrace.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/kernel/ptrace.c	2007-09-25 00:10:16.089100799 -0600
+@@ -223,10 +223,6 @@ static int putreg(struct task_struct *ch
+ {
+ 	unsigned long tmp; 
+ 	
+-	/* Some code in the 64bit emulation may not be 64bit clean.
+-	   Don't take any chances. */
+-	if (test_tsk_thread_flag(child, TIF_IA32))
+-		value &= 0xffffffff;
+ 	switch (regno) {
+ 		case offsetof(struct user_regs_struct,fs):
+ 			if (value && (value & 3) != 3)
diff --git a/trunk/2.6.18/30036_jffs2-ACL-vs-mode-handling.patch b/trunk/2.6.18/30036_jffs2-ACL-vs-mode-handling.patch
new file mode 100644
index 0000000..6d52512
--- /dev/null
+++ b/trunk/2.6.18/30036_jffs2-ACL-vs-mode-handling.patch
@@ -0,0 +1,355 @@
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Wed, 22 Aug 2007 11:39:19 +0000 (+0100)
+Subject: [JFFS2] Fix ACL vs. mode handling.
+X-Git-Url: http://git.infradead.org/?p=mtd-2.6.git;a=commitdiff_plain;h=9ed437c50d89eabae763dd422579f73fdebf288d
+
+[JFFS2] Fix ACL vs. mode handling.
+
+When POSIX ACL support was enabled, we weren't writing correct
+legacy modes to the medium on inode creation, or when the ACL was set.
+This meant that the permissions would be incorrect after the file system
+was remounted.
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+---
+
+diff --git a/fs/jffs2/acl.c b/fs/jffs2/acl.c
+index 65b3a1b..8ec9323 100644
+--- a/fs/jffs2/acl.c
++++ b/fs/jffs2/acl.c
+@@ -176,7 +176,7 @@ static void jffs2_iset_acl(struct inode *inode, struct posix_acl **i_acl, struct
+ 	spin_unlock(&inode->i_lock);
+ }
+ 
+-static struct posix_acl *jffs2_get_acl(struct inode *inode, int type)
++struct posix_acl *jffs2_get_acl(struct inode *inode, int type)
+ {
+ 	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+ 	struct posix_acl *acl;
+@@ -247,8 +247,13 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
+ 			if (rc < 0)
+ 				return rc;
+ 			if (inode->i_mode != mode) {
+-				inode->i_mode = mode;
+-				jffs2_dirty_inode(inode);
++				struct iattr attr;
++
++				attr.ia_valid = ATTR_MODE;
++				attr.ia_mode = mode;
++				rc = jffs2_do_setattr(inode, &attr);
++				if (rc < 0)
++					return rc;
+ 			}
+ 			if (rc == 0)
+ 				acl = NULL;
+@@ -307,22 +312,16 @@ int jffs2_permission(struct inode *inode, int mask, struct nameidata *nd)
+ 	return generic_permission(inode, mask, jffs2_check_acl);
+ }
+ 
+-int jffs2_init_acl(struct inode *inode, struct inode *dir)
++int jffs2_init_acl(struct inode *inode, struct posix_acl *acl)
+ {
+ 	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+-	struct posix_acl *acl = NULL, *clone;
++	struct posix_acl *clone;
+ 	mode_t mode;
+ 	int rc = 0;
+ 
+ 	f->i_acl_access = JFFS2_ACL_NOT_CACHED;
+ 	f->i_acl_default = JFFS2_ACL_NOT_CACHED;
+-	if (!S_ISLNK(inode->i_mode)) {
+-		acl = jffs2_get_acl(dir, ACL_TYPE_DEFAULT);
+-		if (IS_ERR(acl))
+-			return PTR_ERR(acl);
+-		if (!acl)
+-			inode->i_mode &= ~current->fs->umask;
+-	}
++
+ 	if (acl) {
+ 		if (S_ISDIR(inode->i_mode)) {
+ 			rc = jffs2_set_acl(inode, ACL_TYPE_DEFAULT, acl);
+diff --git a/fs/jffs2/acl.h b/fs/jffs2/acl.h
+index c84378c..90a2dbf 100644
+--- a/fs/jffs2/acl.h
++++ b/fs/jffs2/acl.h
+@@ -28,9 +28,10 @@ struct jffs2_acl_header {
+ 
+ #define JFFS2_ACL_NOT_CACHED ((void *)-1)
+ 
++extern struct posix_acl *jffs2_get_acl(struct inode *inode, int type);
+ extern int jffs2_permission(struct inode *, int, struct nameidata *);
+ extern int jffs2_acl_chmod(struct inode *);
+-extern int jffs2_init_acl(struct inode *, struct inode *);
++extern int jffs2_init_acl(struct inode *, struct posix_acl *);
+ extern void jffs2_clear_acl(struct jffs2_inode_info *);
+ 
+ extern struct xattr_handler jffs2_acl_access_xattr_handler;
+@@ -38,6 +39,7 @@ extern struct xattr_handler jffs2_acl_default_xattr_handler;
+ 
+ #else
+ 
++#define jffs2_get_acl(inode, type)	(NULL)
+ #define jffs2_permission NULL
+ #define jffs2_acl_chmod(inode)		(0)
+ #define jffs2_init_acl(inode,dir)	(0)
+diff --git a/fs/jffs2/dir.c b/fs/jffs2/dir.c
+index d293a1f..8353eb9 100644
+--- a/fs/jffs2/dir.c
++++ b/fs/jffs2/dir.c
+@@ -182,6 +182,7 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry, int mode,
+ 	struct jffs2_inode_info *f, *dir_f;
+ 	struct jffs2_sb_info *c;
+ 	struct inode *inode;
++	struct posix_acl *acl;
+ 	int ret;
+ 
+ 	ri = jffs2_alloc_raw_inode();
+@@ -192,7 +193,7 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry, int mode,
+ 
+ 	D1(printk(KERN_DEBUG "jffs2_create()\n"));
+ 
+-	inode = jffs2_new_inode(dir_i, mode, ri);
++	inode = jffs2_new_inode(dir_i, mode, ri, &acl);
+ 
+ 	if (IS_ERR(inode)) {
+ 		D1(printk(KERN_DEBUG "jffs2_new_inode() failed\n"));
+@@ -212,12 +213,12 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry, int mode,
+ 			      dentry->d_name.name, dentry->d_name.len);
+ 
+ 	if (ret)
+-		goto fail;
++		goto fail_acl;
+ 
+ 	ret = jffs2_init_security(inode, dir_i);
+ 	if (ret)
+-		goto fail;
+-	ret = jffs2_init_acl(inode, dir_i);
++		goto fail_acl;
++	ret = jffs2_init_acl(inode, acl);
+ 	if (ret)
+ 		goto fail;
+ 
+@@ -230,6 +231,8 @@ static int jffs2_create(struct inode *dir_i, struct dentry *dentry, int mode,
+ 		  inode->i_ino, inode->i_mode, inode->i_nlink, f->inocache->nlink, inode->i_mapping->nrpages));
+ 	return 0;
+ 
++ fail_acl:
++	posix_acl_release(acl);
+  fail:
+ 	make_bad_inode(inode);
+ 	iput(inode);
+@@ -306,6 +309,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
+ 	struct jffs2_full_dirent *fd;
+ 	int namelen;
+ 	uint32_t alloclen;
++	struct posix_acl *acl;
+ 	int ret, targetlen = strlen(target);
+ 
+ 	/* FIXME: If you care. We'd need to use frags for the target
+@@ -332,7 +336,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
+ 		return ret;
+ 	}
+ 
+-	inode = jffs2_new_inode(dir_i, S_IFLNK | S_IRWXUGO, ri);
++	inode = jffs2_new_inode(dir_i, S_IFLNK | S_IRWXUGO, ri, &acl);
+ 
+ 	if (IS_ERR(inode)) {
+ 		jffs2_free_raw_inode(ri);
+@@ -362,6 +366,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
+ 		up(&f->sem);
+ 		jffs2_complete_reservation(c);
+ 		jffs2_clear_inode(inode);
++		posix_acl_release(acl);
+ 		return PTR_ERR(fn);
+ 	}
+ 
+@@ -372,6 +377,7 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
+ 		up(&f->sem);
+ 		jffs2_complete_reservation(c);
+ 		jffs2_clear_inode(inode);
++		posix_acl_release(acl);
+ 		return -ENOMEM;
+ 	}
+ 
+@@ -389,9 +395,10 @@ static int jffs2_symlink (struct inode *dir_i, struct dentry *dentry, const char
+ 	ret = jffs2_init_security(inode, dir_i);
+ 	if (ret) {
+ 		jffs2_clear_inode(inode);
++		posix_acl_release(acl);
+ 		return ret;
+ 	}
+-	ret = jffs2_init_acl(inode, dir_i);
++	ret = jffs2_init_acl(inode, acl);
+ 	if (ret) {
+ 		jffs2_clear_inode(inode);
+ 		return ret;
+@@ -469,6 +476,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
+ 	struct jffs2_full_dirent *fd;
+ 	int namelen;
+ 	uint32_t alloclen;
++	struct posix_acl *acl;
+ 	int ret;
+ 
+ 	mode |= S_IFDIR;
+@@ -491,7 +499,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
+ 		return ret;
+ 	}
+ 
+-	inode = jffs2_new_inode(dir_i, mode, ri);
++	inode = jffs2_new_inode(dir_i, mode, ri, &acl);
+ 
+ 	if (IS_ERR(inode)) {
+ 		jffs2_free_raw_inode(ri);
+@@ -518,6 +526,7 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
+ 		up(&f->sem);
+ 		jffs2_complete_reservation(c);
+ 		jffs2_clear_inode(inode);
++		posix_acl_release(acl);
+ 		return PTR_ERR(fn);
+ 	}
+ 	/* No data here. Only a metadata node, which will be
+@@ -531,9 +540,10 @@ static int jffs2_mkdir (struct inode *dir_i, struct dentry *dentry, int mode)
+ 	ret = jffs2_init_security(inode, dir_i);
+ 	if (ret) {
+ 		jffs2_clear_inode(inode);
++		posix_acl_release(acl);
+ 		return ret;
+ 	}
+-	ret = jffs2_init_acl(inode, dir_i);
++	ret = jffs2_init_acl(inode, acl);
+ 	if (ret) {
+ 		jffs2_clear_inode(inode);
+ 		return ret;
+@@ -629,6 +639,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
+ 	union jffs2_device_node dev;
+ 	int devlen = 0;
+ 	uint32_t alloclen;
++	struct posix_acl *acl;
+ 	int ret;
+ 
+ 	if (!new_valid_dev(rdev))
+@@ -655,7 +666,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
+ 		return ret;
+ 	}
+ 
+-	inode = jffs2_new_inode(dir_i, mode, ri);
++	inode = jffs2_new_inode(dir_i, mode, ri, &acl);
+ 
+ 	if (IS_ERR(inode)) {
+ 		jffs2_free_raw_inode(ri);
+@@ -684,6 +695,7 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
+ 		up(&f->sem);
+ 		jffs2_complete_reservation(c);
+ 		jffs2_clear_inode(inode);
++		posix_acl_release(acl);
+ 		return PTR_ERR(fn);
+ 	}
+ 	/* No data here. Only a metadata node, which will be
+@@ -697,9 +709,10 @@ static int jffs2_mknod (struct inode *dir_i, struct dentry *dentry, int mode, de
+ 	ret = jffs2_init_security(inode, dir_i);
+ 	if (ret) {
+ 		jffs2_clear_inode(inode);
++		posix_acl_release(acl);
+ 		return ret;
+ 	}
+-	ret = jffs2_init_acl(inode, dir_i);
++	ret = jffs2_init_acl(inode, acl);
+ 	if (ret) {
+ 		jffs2_clear_inode(inode);
+ 		return ret;
+diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
+index 1d3b7a9..dd64ddc 100644
+--- a/fs/jffs2/fs.c
++++ b/fs/jffs2/fs.c
+@@ -24,7 +24,7 @@
+ 
+ static int jffs2_flash_setup(struct jffs2_sb_info *c);
+ 
+-static int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
++int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
+ {
+ 	struct jffs2_full_dnode *old_metadata, *new_metadata;
+ 	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+@@ -36,10 +36,8 @@ static int jffs2_do_setattr (struct inode *inode, struct iattr *iattr)
+ 	unsigned int ivalid;
+ 	uint32_t alloclen;
+ 	int ret;
++
+ 	D1(printk(KERN_DEBUG "jffs2_setattr(): ino #%lu\n", inode->i_ino));
+-	ret = inode_change_ok(inode, iattr);
+-	if (ret)
+-		return ret;
+ 
+ 	/* Special cases - we don't want more than one data node
+ 	   for these types on the medium at any time. So setattr
+@@ -183,9 +181,14 @@ int jffs2_setattr(struct dentry *dentry, struct iattr *iattr)
+ {
+ 	int rc;
+ 
++	rc = inode_change_ok(dentry->d_inode, iattr);
++	if (rc)
++		return rc;
++
+ 	rc = jffs2_do_setattr(dentry->d_inode, iattr);
+ 	if (!rc && (iattr->ia_valid & ATTR_MODE))
+ 		rc = jffs2_acl_chmod(dentry->d_inode);
++
+ 	return rc;
+ }
+ 
+@@ -399,7 +402,8 @@ void jffs2_write_super (struct super_block *sb)
+ 
+ /* jffs2_new_inode: allocate a new inode and inocache, add it to the hash,
+    fill in the raw_inode while you're at it. */
+-struct inode *jffs2_new_inode (struct inode *dir_i, int mode, struct jffs2_raw_inode *ri)
++struct inode *jffs2_new_inode (struct inode *dir_i, int mode, struct jffs2_raw_inode *ri,
++			       struct posix_acl **acl)
+ {
+ 	struct inode *inode;
+ 	struct super_block *sb = dir_i->i_sb;
+@@ -431,7 +435,23 @@ struct inode *jffs2_new_inode (struct inode *dir_i, int mode, struct jffs2_raw_i
+ 	} else {
+ 		ri->gid = cpu_to_je16(current->fsgid);
+ 	}
+-	ri->mode =  cpu_to_jemode(mode);
++
++	/* POSIX ACLs have to be processed now, at least partly.
++	   The umask is only applied if there's no default ACL */
++	if (!S_ISLNK(mode)) {
++		*acl = jffs2_get_acl(dir_i, ACL_TYPE_DEFAULT);
++		if (IS_ERR(*acl)) {
++			make_bad_inode(inode);
++			iput(inode);
++			inode = (void *)*acl;
++			*acl = NULL;
++			return inode;
++		}
++		if (!(*acl))
++			mode &= ~current->fs->umask;
++	} else {
++		*acl = NULL;
++	}
+ 	ret = jffs2_do_new_inode (c, f, mode, ri);
+ 	if (ret) {
+ 		make_bad_inode(inode);
+diff --git a/fs/jffs2/os-linux.h b/fs/jffs2/os-linux.h
+index 80daea9..f6743a9 100644
+--- a/fs/jffs2/os-linux.h
++++ b/fs/jffs2/os-linux.h
+@@ -173,12 +173,15 @@ int jffs2_ioctl(struct inode *, struct file *, unsigned int, unsigned long);
+ extern const struct inode_operations jffs2_symlink_inode_operations;
+ 
+ /* fs.c */
++struct posix_acl;
++
+ int jffs2_setattr (struct dentry *, struct iattr *);
++int jffs2_do_setattr (struct inode *, struct iattr *);
+ void jffs2_read_inode (struct inode *);
+ void jffs2_clear_inode (struct inode *);
+ void jffs2_dirty_inode(struct inode *inode);
+ struct inode *jffs2_new_inode (struct inode *dir_i, int mode,
+-			       struct jffs2_raw_inode *ri);
++			       struct jffs2_raw_inode *ri, struct posix_acl **acl);
+ int jffs2_statfs (struct dentry *, struct kstatfs *);
+ void jffs2_write_super (struct super_block *);
+ int jffs2_remount_fs (struct super_block *, int *, char *);