[X/B/D/E][PATCH 2/2] aufs: bugfix, IMA i_readcount

[Mauricio Faria de Oliveira]

From: "J. R. Okajima" <hooanon05g at gmail.com>

By the recent commit
	21913077f9918 2020-06-17 aufs: do not call i_readcount_inc()
a very old bug was fixed, which is inblance counter.
But still aufs needs to call i_readcount_inc() when the branch
permission is chaned from RW to RO.  Otherwise the counter reaches 0
and BUG() in i_readcount_dec() will be activated.

Signed-off-by: J. R. Okajima <hooanon05g at gmail.com>
(cherry picked from commit f10aea57d39d6cd311312e9e7746804f7059b5c8 aufs4-linux.git)
CVE-2020-11935
Signed-off-by: Mauricio Faria de Oliveira <mfo at canonical.com>
---
 fs/aufs/branch.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/aufs/branch.c b/fs/aufs/branch.c
index 17a45c89e2cf..b12a0da6a70e 100644
--- a/fs/aufs/branch.c
+++ b/fs/aufs/branch.c
@@ -1202,6 +1202,7 @@ static int au_br_mod_files_ro(struct super_block *sb, aufs_bindex_t bindex)
 	unsigned char verbose, writer;
 	struct file *file, *hf, **array;
 	struct au_hfile *hfile;
+	struct inode *h_inode;
 
 	mnt_flags = au_mntflags(sb);
 	verbose = !!au_opt_test(mnt_flags, VERBOSE);
@@ -1272,7 +1273,10 @@ static int au_br_mod_files_ro(struct super_block *sb, aufs_bindex_t bindex)
 		hf->f_mode &= ~(FMODE_WRITE | FMODE_WRITER);
 		spin_unlock(&hf->f_lock);
 		if (writer) {
-			put_write_access(file_inode(hf));
+			h_inode = file_inode(hf);
+			if (hf->f_mode & FMODE_READ)
+				i_readcount_inc(h_inode);
+			put_write_access(h_inode);
 			__mnt_drop_write(hf->f_path.mnt);
 		}
 	}
-- 
2.25.1