UBUNTU: SAUCE: aufs: bugfix, IMA i_readcount

By the recent commit
	21913077f9918 2020-06-17 aufs: do not call i_readcount_inc()
a very old bug was fixed, which is inblance counter.
But still aufs needs to call i_readcount_inc() when the branch
permission is chaned from RW to RO.  Otherwise the counter reaches 0
and BUG() in i_readcount_dec() will be activated.
Signed-off-by: J. R. Okajima <hooanon05g@gmail.com>
(cherry picked from commit f10aea57d39d6cd311312e9e7746804f7059b5c8 aufs4-linux.git)
CVE-2020-11935
Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

fs/aufs/branch.c

@@ -1202,6 +1202,7 @@ static int au_br_mod_files_ro(struct super_block *sb, aufs_bindex_t bindex)
 	unsigned char verbose, writer;
 	struct file *file, *hf, **array;
 	struct au_hfile *hfile;
+	struct inode *h_inode;
 
 	mnt_flags = au_mntflags(sb);
 	verbose = !!au_opt_test(mnt_flags, VERBOSE);
@@ -1272,7 +1273,10 @@ static int au_br_mod_files_ro(struct super_block *sb, aufs_bindex_t bindex)
 		hf->f_mode &= ~(FMODE_WRITE | FMODE_WRITER);
 		spin_unlock(&hf->f_lock);
 		if (writer) {
-			put_write_access(file_inode(hf));
+			h_inode = file_inode(hf);
+			if (hf->f_mode & FMODE_READ)
+				i_readcount_inc(h_inode);
+			put_write_access(h_inode);
 			__mnt_drop_write(hf->f_path.mnt);
 		}
 	}