FROMLIST: 9p: fix a potential acl leak

(https://lkml.org/lkml/2016/12/13/579)

posix_acl_update_mode() could possibly clear 'acl', if so
we leak the memory pointed by 'acl'. Save this pointer
before calling posix_acl_update_mode() and release the memory
if 'acl' really gets cleared.

Reported-by: Mark Salyzyn <salyzyn@android.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Greg Kurz <groug@kaod.org>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Bug: 32458736
Change-Id: Ia78da401e6fd1bfd569653bd2cd0ebd3f9c737a0

diff --git a/fs/9p/acl.c b/fs/9p/acl.c
index 9686c1f17653f4469156ea19d83a1ceaeef763da..c19a66472d2eb3651216e4e413f966e88c6e4b29 100644 (file)
--- a/fs/9p/acl.c
+++ b/fs/9p/acl.c
@@ -321,6 +321,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
                name = POSIX_ACL_XATTR_ACCESS;
                if (acl) {
                        struct iattr iattr;
+                       struct posix_acl *old_acl = acl;
 
                        retval = posix_acl_update_mode(inode, &iattr.ia_mode, &acl);
                        if (retval)
@@ -331,6 +332,7 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
                                 * by the mode bits. So don't
                                 * update ACL.
                                 */
+                               posix_acl_release(old_acl);
                                value = NULL;
                                size = 0;
                        }