Merge 4.4.166 into android-4.4

Changes in 4.4.166
	usb: core: Fix hub port connection events lost
	usb: xhci: fix timeout for transition from RExit to U0
	MAINTAINERS: Add Sasha as a stable branch maintainer
	iwlwifi: mvm: support sta_statistics() even on older firmware
	v9fs_dir_readdir: fix double-free on p9stat_read error
	bfs: add sanity check at bfs_fill_super()
	sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer
	gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
	llc: do not use sk_eat_skb()
	drm/ast: change resolution may cause screen blurred
	drm/ast: fixed cursor may disappear sometimes
	can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb()
	can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length
	can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds
	can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb
	usb: xhci: Prevent bus suspend if a port connect change or polling state is detected
	KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE
	cpufreq: imx6q: add return value check for voltage scale
	SUNRPC: Fix a bogus get/put in generic_key_to_expire()
	kdb: Use strscpy with destination buffer size
	powerpc/numa: Suppress "VPHN is not supported" messages
	tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset
	of: add helper to lookup compatible child node
	NFC: nfcmrvl_uart: fix OF child-node lookup
	net: bcmgenet: fix OF child-node lookup
	x86/entry: spell EBX register correctly in documentation
	x86/entry/64: Remove %ebx handling from error_entry/exit
	arm64: remove no-op -p linker flag
	ath10k: fix kernel panic due to race in accessing arvif list
	Input: xpad - remove spurious events of wireless xpad 360 controller
	Input: xpad - handle "present" and "gone" correctly
	Input: xpad - update Xbox One Force Feedback Support
	Input: xpad - workaround dead irq_out after suspend/ resume
	Input: xpad - use LED API when identifying wireless controllers
	Input: xpad - correct xbox one pad device name
	Input: xpad - remove unused function
	Input: xpad - add Mad Catz FightStick TE 2 VID/PID
	Input: xpad - prevent spurious input from wired Xbox 360 controllers
	Input: xpad - add more third-party controllers
	Input: xpad - xbox one elite controller support
	Input: xpad - fix rumble on Xbox One controllers with 2015 firmware
	Input: xpad - power off wireless 360 controllers on suspend
	Input: xpad - add product ID for Xbox One S pad
	Input: xpad - fix Xbox One rumble stopping after 2.5 secs
	Input: xpad - correctly sort vendor id's
	Input: xpad - move reporting xbox one home button to common function
	Input: xpad - simplify error condition in init_output
	Input: xpad - don't depend on endpoint order
	Input: xpad - fix stuck mode button on Xbox One S pad
	Input: xpad - restore LED state after device resume
	Input: xpad - support some quirky Xbox One pads
	Input: xpad - sort supported devices by USB ID
	Input: xpad - sync supported devices with xboxdrv
	Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth
	Input: xpad - sync supported devices with 360Controller
	Input: xpad - sync supported devices with XBCD
	Input: xpad - constify usb_device_id
	Input: xpad - fix PowerA init quirk for some gamepad models
	Input: xpad - validate USB endpoint type during probe
	Input: xpad - add support for PDP Xbox One controllers
	Input: xpad - add PDP device id 0x02a4
	Input: xpad - fix some coding style issues
	Input: xpad - avoid using __set_bit() for capabilities
	Input: xpad - add GPD Win 2 Controller USB IDs
	Input: xpad - fix GPD Win 2 controller name
	Input: xpad - add support for Xbox1 PDP Camo series gamepad
	cw1200: Don't leak memory if krealloc failes
	mwifiex: Fix NULL pointer dereference in skb_dequeue()
	mwifiex: fix p2p device doesn't find in scan problem
	netfilter: nf_tables: fix oops when inserting an element into a verdict map
	scsi: ufs: fix bugs related to null pointer access and array size
	scsi: ufshcd: Fix race between clk scaling and ungate work
	scsi: ufs: fix race between clock gating and devfreq scaling work
	scsi: ufshcd: release resources if probe fails
	scsi: qla2xxx: do not queue commands when unloading
	iwlwifi: mvm: fix regulatory domain update when the firmware starts
	tty: wipe buffer.
	tty: wipe buffer if not echoing data
	usb: xhci: fix uninitialized completion when USB3 port got wrong status
	btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
	sched/core: Allow __sched_setscheduler() in interrupts when PI is not used
	namei: allow restricted O_CREAT of FIFOs and regular files
	s390/mm: Check for valid vma before zapping in gmap_discard
	drm/ast: Remove existing framebuffers before loading driver
	Linux 4.4.166

Change-Id: Iba8f0b45bc490f291b504ebb12590b2b01d4f075
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

1 files changed, 50 insertions, 3 deletions

diff --git a/fs/namei.c b/fs/namei.c
index 5b56423e2e0b..9071bb1bd184 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -884,6 +884,8 @@ static inline void put_link(struct nameidata *nd)
 
 int sysctl_protected_symlinks __read_mostly = 0;
 int sysctl_protected_hardlinks __read_mostly = 0;
+int sysctl_protected_fifos __read_mostly;
+int sysctl_protected_regular __read_mostly;
 
 /**
  * may_follow_link - Check symlink following for unsafe situations
@@ -997,6 +999,45 @@ static int may_linkat(struct path *link)
 	return -EPERM;
 }
 
+/**
+ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
+ *			  should be allowed, or not, on files that already
+ *			  exist.
+ * @dir: the sticky parent directory
+ * @inode: the inode of the file to open
+ *
+ * Block an O_CREAT open of a FIFO (or a regular file) when:
+ *   - sysctl_protected_fifos (or sysctl_protected_regular) is enabled
+ *   - the file already exists
+ *   - we are in a sticky directory
+ *   - we don't own the file
+ *   - the owner of the directory doesn't own the file
+ *   - the directory is world writable
+ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2
+ * the directory doesn't have to be world writable: being group writable will
+ * be enough.
+ *
+ * Returns 0 if the open is allowed, -ve on error.
+ */
+static int may_create_in_sticky(struct dentry * const dir,
+				struct inode * const inode)
+{
+	if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
+	    (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
+	    likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
+	    uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
+	    uid_eq(current_fsuid(), inode->i_uid))
+		return 0;
+
+	if (likely(dir->d_inode->i_mode & 0002) ||
+	    (dir->d_inode->i_mode & 0020 &&
+	     ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
+	      (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
+		return -EACCES;
+	}
+	return 0;
+}
+
 static __always_inline
 const char *get_link(struct nameidata *nd)
 {
@@ -3198,9 +3239,15 @@ finish_open:
 		error = -ELOOP;
 		goto out;
 	}
-	error = -EISDIR;
-	if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
-		goto out;
+	if (open_flag & O_CREAT) {
+		error = -EISDIR;
+		if (d_is_dir(nd->path.dentry))
+			goto out;
+		error = may_create_in_sticky(dir,
+					     d_backing_inode(nd->path.dentry));
+		if (unlikely(error))
+			goto out;
+	}
 	error = -ENOTDIR;
 	if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
 		goto out;