Btrfs: Fix BTRFS_IOC_SUBVOL_SETFLAGS ioctl

- Check user-specified flags correctly - Check the inode owership - Search root item in root tree but not fs tree Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> Signed-off-by: Chris Mason <chris.mason@oracle.com>
author: Li Zefan <lizf@cn.fujitsu.com> 2011-02-16 01:06:34 -0500
committer: Chris Mason <chris.mason@oracle.com> 2011-02-16 15:37:58 -0500
commit: b4dc2b8c694ead005b828f5fb7fa1134db5b6275 (patch)
tree: ba01c2bb5381ab9a34c4152ed4dd83c1797f780c /fs
parent: c87f08ca44e83b2c8d28f63f9c33f3a270a04bbe (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index be2d4f6aaa5e..5fdb2abc4fa7 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1071,12 +1071,15 @@ static noinline int btrfs_ioctl_subvol_setflags(struct file *file,
        if (copy_from_user(&flags, arg, sizeof(flags)))
                return -EFAULT;
-        if (flags & ~BTRFS_SUBVOL_CREATE_ASYNC)
+        if (flags & BTRFS_SUBVOL_CREATE_ASYNC)
                return -EINVAL;
        if (flags & ~BTRFS_SUBVOL_RDONLY)
                return -EOPNOTSUPP;
+        if (!is_owner_or_cap(inode))
+                return -EACCES;
        down_write(&root->fs_info->subvol_sem);
        /* nothing to do */
@@ -1097,7 +1100,7 @@ static noinline int btrfs_ioctl_subvol_setflags(struct file *file,
                goto out_reset;
        }
-        ret = btrfs_update_root(trans, root,
+        ret = btrfs_update_root(trans, root->fs_info->tree_root,
                                &root->root_key, &root->root_item);
        btrfs_commit_transaction(trans, root);
author	Li Zefan <lizf@cn.fujitsu.com>	2011-02-16 01:06:34 -0500
committer	Chris Mason <chris.mason@oracle.com>	2011-02-16 15:37:58 -0500
commit	b4dc2b8c694ead005b828f5fb7fa1134db5b6275 (patch)
tree	ba01c2bb5381ab9a34c4152ed4dd83c1797f780c /fs
parent	c87f08ca44e83b2c8d28f63f9c33f3a270a04bbe (diff)