vfs: move permission checking into notify_change() for utimes(NULL)

commit f2b20f6ee842313a0d681dbbf7f87b70291a6a3b upstream.

This fixes a bug where the permission was not properly checked in
overlayfs.  The testcase is ltp/utimensat01.

It is also cleaner and safer to do the permission checking in the vfs
helper instead of the caller.

This patch introduces an additional ia_valid flag ATTR_TOUCH (since
touch(1) is the most obvious user of utimes(NULL)) that is passed into
notify_change whenever the conditions for this special permission checking
mode are met.

Reported-by: Aihua Zhang <zhangaihua1@huawei.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Tested-by: Aihua Zhang <zhangaihua1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/attr.c b/fs/attr.c
index 6530ced19697d49a9189fa289c9112187448fee3..d62f674a605ff687972507ffce003bc08121b81d 100644 (file)
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -202,6 +202,21 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
                        return -EPERM;
        }
 
+       /*
+        * If utimes(2) and friends are called with times == NULL (or both
+        * times are UTIME_NOW), then we need to check for write permission
+        */
+       if (ia_valid & ATTR_TOUCH) {
+               if (IS_IMMUTABLE(inode))
+                       return -EPERM;
+
+               if (!inode_owner_or_capable(inode)) {
+                       error = inode_permission(inode, MAY_WRITE);
+                       if (error)
+                               return error;
+               }
+       }
+
        if ((ia_valid & ATTR_MODE)) {
                umode_t amode = attr->ia_mode;
                /* Flag setting protected by i_mutex */

diff --git a/fs/utimes.c b/fs/utimes.c
index aa138d64560a6a3c2133bc70d57e367cc8c1476d..cb771c30d10231186d405b63155d02abadb0ce7e 100644 (file)
--- a/fs/utimes.c
+++ b/fs/utimes.c
@@ -87,20 +87,7 @@ static int utimes_common(struct path *path, struct timespec *times)
                 */
                newattrs.ia_valid |= ATTR_TIMES_SET;
        } else {
-               /*
-                * If times is NULL (or both times are UTIME_NOW),
-                * then we need to check permissions, because
-                * inode_change_ok() won't do it.
-                */
-               error = -EACCES;
-                if (IS_IMMUTABLE(inode))
-                       goto mnt_drop_write_and_out;
-
-               if (!inode_owner_or_capable(inode)) {
-                       error = inode_permission(inode, MAY_WRITE);
-                       if (error)
-                               goto mnt_drop_write_and_out;
-               }
+               newattrs.ia_valid |= ATTR_TOUCH;
        }
 retry_deleg:
        mutex_lock(&inode->i_mutex);
@@ -112,7 +99,6 @@ retry_deleg:
                        goto retry_deleg;
        }
 
-mnt_drop_write_and_out:
        mnt_drop_write(path->mnt);
 out:
        return error;

diff --git a/include/linux/fs.h b/include/linux/fs.h
index 0166582c4d78b842d37cd3a30ffad2b447f483b2..e1a123760dbfce85fd796a20a1c66427d71126b8 100644 (file)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -226,6 +226,7 @@ typedef void (dax_iodone_t)(struct buffer_head *bh_map, int uptodate);
 #define ATTR_KILL_PRIV (1 << 14)
 #define ATTR_OPEN      (1 << 15) /* Truncating from open(O_TRUNC) */
 #define ATTR_TIMES_SET (1 << 16)
+#define ATTR_TOUCH     (1 << 17)
 
 /*
  * Whiteout is represented by a char device.  The following constants define the