[RHEL7,COMMIT] rh/ext4: release leaked posix acl in ext4_xattr_set_acl

Submitted by Konstantin Khorenko on Feb. 9, 2018, 8:52 a.m.

Details

Message ID 201802090852.w198qFML032494@finist_ce7.work
State New
Series "ext4: release leaked posix acl in ext4_xattr_set_acl"
Headers show

Commit Message

Konstantin Khorenko Feb. 9, 2018, 8:52 a.m.
The commit is pushed to "branch-rh7-3.10.0-693.17.1.vz7.43.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.17.1.vz7.43.3
------>
commit b762d904ada70f239f1c2d2d70c4a64cd04c8ade
Author: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
Date:   Fri Feb 9 11:52:15 2018 +0300

    rh/ext4: release leaked posix acl in ext4_xattr_set_acl
    
    Note: only rh7-3.10.0-693.17.1.el7-based kernels are affcted.
    I.e. starting from rh7-3.10.0-693.17.1.vz7.43.1.
    
    Posix acl is used to convert of an extended attribute, provided by user to ext4
    attributes. In particular to i_mode in case of ACL_TYPE_ACCESS request.
    
    IOW, this object is allocated, used for convertion, not stored anywhere and
    must be freed.
    
    However posix_acl_update_mode() can zerofy the pointer to support
    ext4_set_acl() logic, but then the object is leaked. So, fix it by releasing
    new temporary pointer with the same value instead of acl pointer.
    
    https://jira.sw.ru/browse/PSBM-81384
    
    RHEL bug URL: https://bugzilla.redhat.com/show_bug.cgi?id=1543020
    
    v2: Added affected kernel version + RHEL bug URL
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
    Acked-by: Dmitry Monakhov <dmonakhov@openvz.org>
---
 fs/ext4/acl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/fs/ext4/acl.c b/fs/ext4/acl.c
index fce029fa0c3b..046b33819608 100644
--- a/fs/ext4/acl.c
+++ b/fs/ext4/acl.c
@@ -405,7 +405,7 @@  ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
 {
 	struct inode *inode = dentry->d_inode;
 	handle_t *handle;
-	struct posix_acl *acl;
+	struct posix_acl *acl, *real_acl;
 	int error, retries = 0;
 	int update_mode = 0;
 	umode_t mode = inode->i_mode;
@@ -418,7 +418,7 @@  ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
 		return -EPERM;
 
 	if (value) {
-		acl = posix_acl_from_xattr(&init_user_ns, value, size);
+		acl = real_acl = posix_acl_from_xattr(&init_user_ns, value, size);
 		if (IS_ERR(acl))
 			return PTR_ERR(acl);
 		else if (acl) {
@@ -427,7 +427,7 @@  ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
 				goto release_and_out;
 		}
 	} else
-		acl = NULL;
+		acl = real_acl = NULL;
 
 retry:
 	handle = ext4_journal_start(inode, EXT4_HT_XATTR,
@@ -454,7 +454,7 @@  ext4_xattr_set_acl(struct dentry *dentry, const char *name, const void *value,
 		goto retry;
 
 release_and_out:
-	posix_acl_release(acl);
+	posix_acl_release(real_acl);
 	return error;
 }