ext4: fix potential deadlock with setuid files and EXT4_IOC_MOVE_EXT

file_remove_suid() must be called with i_mutex down, since it calls
notify_change().  In addition, we really want to remove the suid file
*before* we modify the donor file, to avoid someone from trying to
exploit a race.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index a56796814d6ab1a564af494e23b57871f2121692..ff1aab7cd6e839dace648a74fdf6b04882a9b273 100644 (file)
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -247,8 +247,6 @@ setversion_out:
                err = ext4_move_extents(filp, donor_filp, me.orig_start,
                                        me.donor_start, me.len, &me.moved_len);
                mnt_drop_write(filp->f_path.mnt);
-               if (me.moved_len > 0)
-                       file_remove_suid(donor_filp);
 
                if (copy_to_user((struct move_extent __user *)arg,
                                 &me, sizeof(me)))

diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index c5826c623e7af8e19aa0baf5829ce5e25fcc1f71..7403e1b68a0e2dce5e84171fe5bc3aa8598a0231 100644 (file)
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -1222,6 +1222,8 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp,
        if (ret1)
                goto out;
 
+       file_remove_suid(d_filp);
+
        file_end = (i_size_read(orig_inode) - 1) >> orig_inode->i_blkbits;
        block_end = block_start + len - 1;
        if (file_end < block_end)