Filipe Brandenburger
2012-Nov-30 03:40 UTC
[PATCH 0/2] Btrfs: fix mode umasking on empty files
Hi, This set of patches fix bug #50861: "Btrfs sometimes ignore umask and create world writable files" https://bugzilla.kernel.org/show_bug.cgi?id=50861 It turns out that btrfs_create() will create an inode with permissions 0666 and these will be changed to match the umask inside btrfs_init_acl() (and only in cases where the ACL doesn''t mandate which permissions the file should have.) The changes are made to the "struct inode" but it''s not marked as dirty, so these changes will only propagate to the "struct btrfs_inode" if other changes are made to the inode (e.g. by writing content and changing the size or by using "touch" and changing the mtime, both of which will mark the inode as dirty.) I fixed this issue by adding a call to btrfs_update_inode() in btrfs_create(). I believe this might be an acceptable solution since the same is already done on most other system calls such as "mkdir" or "symlink". An alternative might be applying the umask earlier, before the call to btrfs_new_inode(), that way the inode would be created with the right permission bits from the beginning, but that might either involve checking the ACLs before creating the inode (which might need a rework of btrfs_init_acl()) or umasking the bits unconditionally, but I guess there''s a reason to apply that logic... The first patch fixes the issue, the second patch refactors the code to avoid the repetition of setting the flag variable on every error handling block. Cheers, Filipe Filipe Brandenburger (2): Btrfs: fix permissions of empty files not affected by umask Btrfs: refactor error handling to drop inode in btrfs_create() fs/btrfs/inode.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) -- 1.7.11.7 -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Filipe Brandenburger
2012-Nov-30 03:40 UTC
[PATCH 1/2] Btrfs: fix permissions of empty files not affected by umask
When a new file is created with btrfs_create(), the inode will initially be
created with permissions 0666 and later on in btrfs_init_acl() it will be
adapted to mask out the umask bits. The problem is that this change
won''t make
it into the btrfs_inode unless there''s another change to the inode
(e.g. writing
content changing the size or touching the file changing the mtime.)
This fix adds a call to btrfs_update_inode() to btrfs_create() to make sure that
the change will not get lost if the in-memory inode is flushed before other
changes are made to the file.
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
---
fs/btrfs/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 95542a1..caf9d76 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4996,6 +4996,12 @@ static int btrfs_create(struct inode *dir, struct dentry
*dentry,
goto out_unlock;
}
+ err = btrfs_update_inode(trans, root, inode);
+ if (err) {
+ drop_inode = 1;
+ goto out_unlock;
+ }
+
/*
* If the active LSM wants to access the inode during
* d_instantiate it needs these. Smack checks to see
--
1.7.11.7
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs"
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Filipe Brandenburger
2012-Nov-30 03:40 UTC
[PATCH 2/2] Btrfs: refactor error handling to drop inode in btrfs_create()
Refactor it by checking whether the inode has been created and needs to be
dropped (drop_inode_on_err) and also if the err variable is set. That way the
variable doesn''t need to be set on each and every error handling block.
Signed-off-by: Filipe Brandenburger <filbranden@google.com>
---
fs/btrfs/inode.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index caf9d76..1d66c9e 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4963,7 +4963,7 @@ static int btrfs_create(struct inode *dir, struct dentry
*dentry,
struct btrfs_trans_handle *trans;
struct btrfs_root *root = BTRFS_I(dir)->root;
struct inode *inode = NULL;
- int drop_inode = 0;
+ int drop_inode_on_err = 0;
int err;
unsigned long nr = 0;
u64 objectid;
@@ -4989,18 +4989,15 @@ static int btrfs_create(struct inode *dir, struct dentry
*dentry,
err = PTR_ERR(inode);
goto out_unlock;
}
+ drop_inode_on_err = 1;
err = btrfs_init_inode_security(trans, inode, dir, &dentry->d_name);
- if (err) {
- drop_inode = 1;
+ if (err)
goto out_unlock;
- }
err = btrfs_update_inode(trans, root, inode);
- if (err) {
- drop_inode = 1;
+ if (err)
goto out_unlock;
- }
/*
* If the active LSM wants to access the inode during
@@ -5013,17 +5010,17 @@ static int btrfs_create(struct inode *dir, struct dentry
*dentry,
err = btrfs_add_nondir(trans, dir, dentry, inode, 0, index);
if (err)
- drop_inode = 1;
- else {
- inode->i_mapping->a_ops = &btrfs_aops;
- inode->i_mapping->backing_dev_info = &root->fs_info->bdi;
- BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops;
- d_instantiate(dentry, inode);
- }
+ goto out_unlock;
+
+ inode->i_mapping->a_ops = &btrfs_aops;
+ inode->i_mapping->backing_dev_info = &root->fs_info->bdi;
+ BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops;
+ d_instantiate(dentry, inode);
+
out_unlock:
nr = trans->blocks_used;
btrfs_end_transaction(trans, root);
- if (drop_inode) {
+ if (err && drop_inode_on_err) {
inode_dec_link_count(inode);
iput(inode);
}
--
1.7.11.7
Liu Bo
2012-Nov-30 06:17 UTC
Re: [PATCH 1/2] Btrfs: fix permissions of empty files not affected by umask
On Thu, Nov 29, 2012 at 07:40:08PM -0800, Filipe Brandenburger wrote:> When a new file is created with btrfs_create(), the inode will initially be > created with permissions 0666 and later on in btrfs_init_acl() it will be > adapted to mask out the umask bits. The problem is that this change won''t make > it into the btrfs_inode unless there''s another change to the inode (e.g. writing > content changing the size or touching the file changing the mtime.) > > This fix adds a call to btrfs_update_inode() to btrfs_create() to make sure that > the change will not get lost if the in-memory inode is flushed before other > changes are made to the file. >Looks good to me. Reviewed-by: Liu Bo <bo.li.liu@oracle.com> thanks, liubo> Signed-off-by: Filipe Brandenburger <filbranden@google.com> > --- > fs/btrfs/inode.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 95542a1..caf9d76 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -4996,6 +4996,12 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry, > goto out_unlock; > } > > + err = btrfs_update_inode(trans, root, inode); > + if (err) { > + drop_inode = 1; > + goto out_unlock; > + } > + > /* > * If the active LSM wants to access the inode during > * d_instantiate it needs these. Smack checks to see > -- > 1.7.11.7 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/
Filipe Brandenburger
2012-Dec-04 07:05 UTC
Re: [PATCH 1/2] Btrfs: fix permissions of empty files not affected by umask
Hi, Any concerns on this patchset? Any chance it can be integrated in time for 3.8 or too risky for it? The Bugzilla entry contains some test cases that reproduce the issue fairly easily by unmounting the filesystem right after creating an empty file... Let me know if there are any extra fixes or tests you''d like me to provide. Thanks, Filipe On Thu, Nov 29, 2012 at 7:40 PM, Filipe Brandenburger <filbranden@google.com> wrote:> When a new file is created with btrfs_create(), the inode will initially be > created with permissions 0666 and later on in btrfs_init_acl() it will be > adapted to mask out the umask bits. The problem is that this change won''t make > it into the btrfs_inode unless there''s another change to the inode (e.g. writing > content changing the size or touching the file changing the mtime.) > > This fix adds a call to btrfs_update_inode() to btrfs_create() to make sure that > the change will not get lost if the in-memory inode is flushed before other > changes are made to the file. > > Signed-off-by: Filipe Brandenburger <filbranden@google.com> > --- > fs/btrfs/inode.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 95542a1..caf9d76 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -4996,6 +4996,12 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry, > goto out_unlock; > } > > + err = btrfs_update_inode(trans, root, inode); > + if (err) { > + drop_inode = 1; > + goto out_unlock; > + } > + > /* > * If the active LSM wants to access the inode during > * d_instantiate it needs these. Smack checks to see > -- > 1.7.11.7 >-- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html