[PATCH 0/2] Btrfs: fix mode umasking on empty files

[PATCH 0/2] Btrfs: fix mode umasking on empty files

[Filipe Brandenburger]

Hi,

This set of patches fix bug #50861:
"Btrfs sometimes ignore umask and create world writable files"
https://bugzilla.kernel.org/show_bug.cgi?id=50861

It turns out that btrfs_create() will create an inode with permissions 0666 and
these will be changed to match the umask inside btrfs_init_acl() (and only in
cases where the ACL doesn't mandate which permissions the file should have.) The
changes are made to the "struct inode" but it's not marked as dirty, so these
changes will only propagate to the "struct btrfs_inode" if other changes are
made to the inode (e.g. by writing content and changing the size or by using
"touch" and changing the mtime, both of which will mark the inode as dirty.)

I fixed this issue by adding a call to btrfs_update_inode() in btrfs_create().
I believe this might be an acceptable solution since the same is already done on
most other system calls such as "mkdir" or "symlink".

An alternative might be applying the umask earlier, before the call to
btrfs_new_inode(), that way the inode would be created with the right permission
bits from the beginning, but that might either involve checking the ACLs before
creating the inode (which might need a rework of btrfs_init_acl()) or umasking
the bits unconditionally, but I guess there's a reason to apply that logic...

The first patch fixes the issue, the second patch refactors the code to avoid
the repetition of setting the flag variable on every error handling block.

Cheers,
Filipe


Filipe Brandenburger (2):
  Btrfs: fix permissions of empty files not affected by umask
  Btrfs: refactor error handling to drop inode in btrfs_create()

 fs/btrfs/inode.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

-- 
1.7.11.7

[PATCH 1/2] Btrfs: fix permissions of empty files not affected by umask

[Filipe Brandenburger]

When a new file is created with btrfs_create(), the inode will initially be
created with permissions 0666 and later on in btrfs_init_acl() it will be
adapted to mask out the umask bits. The problem is that this change won't make
it into the btrfs_inode unless there's another change to the inode (e.g. writing
content changing the size or touching the file changing the mtime.)

This fix adds a call to btrfs_update_inode() to btrfs_create() to make sure that
the change will not get lost if the in-memory inode is flushed before other
changes are made to the file.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
---
 fs/btrfs/inode.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 95542a1..caf9d76 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4996,6 +4996,12 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
 		goto out_unlock;
 	}
 
+	err = btrfs_update_inode(trans, root, inode);
+	if (err) {
+		drop_inode = 1;
+		goto out_unlock;
+	}
+
 	/*
 	* If the active LSM wants to access the inode during
 	* d_instantiate it needs these. Smack checks to see
-- 
1.7.11.7

[PATCH 2/2] Btrfs: refactor error handling to drop inode in btrfs_create()

[Filipe Brandenburger]

Refactor it by checking whether the inode has been created and needs to be
dropped (drop_inode_on_err) and also if the err variable is set. That way the
variable doesn't need to be set on each and every error handling block.

Signed-off-by: Filipe Brandenburger <filbranden@google.com>
---
 fs/btrfs/inode.c | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index caf9d76..1d66c9e 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4963,7 +4963,7 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
 	struct btrfs_trans_handle *trans;
 	struct btrfs_root *root = BTRFS_I(dir)->root;
 	struct inode *inode = NULL;
-	int drop_inode = 0;
+	int drop_inode_on_err = 0;
 	int err;
 	unsigned long nr = 0;
 	u64 objectid;
@@ -4989,18 +4989,15 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
 		err = PTR_ERR(inode);
 		goto out_unlock;
 	}
+	drop_inode_on_err = 1;
 
 	err = btrfs_init_inode_security(trans, inode, dir, &dentry->d_name);
-	if (err) {
-		drop_inode = 1;
+	if (err)
 		goto out_unlock;
-	}
 
 	err = btrfs_update_inode(trans, root, inode);
-	if (err) {
-		drop_inode = 1;
+	if (err)
 		goto out_unlock;
-	}
 
 	/*
 	* If the active LSM wants to access the inode during
@@ -5013,17 +5010,17 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
 
 	err = btrfs_add_nondir(trans, dir, dentry, inode, 0, index);
 	if (err)
-		drop_inode = 1;
-	else {
-		inode->i_mapping->a_ops = &btrfs_aops;
-		inode->i_mapping->backing_dev_info = &root->fs_info->bdi;
-		BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops;
-		d_instantiate(dentry, inode);
-	}
+		goto out_unlock;
+
+	inode->i_mapping->a_ops = &btrfs_aops;
+	inode->i_mapping->backing_dev_info = &root->fs_info->bdi;
+	BTRFS_I(inode)->io_tree.ops = &btrfs_extent_io_ops;
+	d_instantiate(dentry, inode);
+
 out_unlock:
 	nr = trans->blocks_used;
 	btrfs_end_transaction(trans, root);
-	if (drop_inode) {
+	if (err && drop_inode_on_err) {
 		inode_dec_link_count(inode);
 		iput(inode);
 	}
-- 
1.7.11.7

Re: [PATCH 1/2] Btrfs: fix permissions of empty files not affected by umask

[Liu Bo]

On Thu, Nov 29, 2012 at 07:40:08PM -0800, Filipe Brandenburger wrote:
> When a new file is created with btrfs_create(), the inode will initially be
> created with permissions 0666 and later on in btrfs_init_acl() it will be
> adapted to mask out the umask bits. The problem is that this change won't make
> it into the btrfs_inode unless there's another change to the inode (e.g. writing
> content changing the size or touching the file changing the mtime.)
> 
> This fix adds a call to btrfs_update_inode() to btrfs_create() to make sure that
> the change will not get lost if the in-memory inode is flushed before other
> changes are made to the file.
> 

Looks good to me.

Reviewed-by: Liu Bo <bo.li.liu@oracle.com>

thanks,
liubo

> Signed-off-by: Filipe Brandenburger <filbranden@google.com>
> ---
>  fs/btrfs/inode.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index 95542a1..caf9d76 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -4996,6 +4996,12 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
>  		goto out_unlock;
>  	}
>  
> +	err = btrfs_update_inode(trans, root, inode);
> +	if (err) {
> +		drop_inode = 1;
> +		goto out_unlock;
> +	}
> +
>  	/*
>  	* If the active LSM wants to access the inode during
>  	* d_instantiate it needs these. Smack checks to see
> -- 
> 1.7.11.7
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/