mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-19 04:14:49 +08:00
ef1548adad
Recently syzbot reported that unmounting proc when there is an ongoing inotify watch on the root directory of proc could result in a use after free when the watch is removed after the unmount of proc when the watcher exits. Commit69879c01a0
("proc: Remove the now unnecessary internal mount of proc") made it easier to unmount proc and allowed syzbot to see the problem, but looking at the code it has been around for a long time. Looking at the code the fsnotify watch should have been removed by fsnotify_sb_delete in generic_shutdown_super. Unfortunately the inode was allocated with new_inode_pseudo instead of new_inode so the inode was not on the sb->s_inodes list. Which prevented fsnotify_unmount_inodes from finding the inode and removing the watch as well as made it so the "VFS: Busy inodes after unmount" warning could not find the inodes to warn about them. Make all of the inodes in proc visible to generic_shutdown_super, and fsnotify_sb_delete by using new_inode instead of new_inode_pseudo. The only functional difference is that new_inode places the inodes on the sb->s_inodes list. I wrote a small test program and I can verify that without changes it can trigger this issue, and by replacing new_inode_pseudo with new_inode the issues goes away. Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/000000000000d788c905a7dfa3f4@google.com Reported-by: syzbot+7d2debdcdb3cb93c1e5e@syzkaller.appspotmail.com Fixes:0097875bd4
("proc: Implement /proc/thread-self to point at the directory of the current thread") Fixes:021ada7dff
("procfs: switch /proc/self away from proc_dir_entry") Fixes:51f0885e54
("vfs,proc: guarantee unique inodes in /proc") Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
74 lines
1.9 KiB
C
74 lines
1.9 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#include <linux/cache.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/pid_namespace.h>
|
|
#include "internal.h"
|
|
|
|
/*
|
|
* /proc/thread_self:
|
|
*/
|
|
static const char *proc_thread_self_get_link(struct dentry *dentry,
|
|
struct inode *inode,
|
|
struct delayed_call *done)
|
|
{
|
|
struct pid_namespace *ns = proc_pid_ns(inode->i_sb);
|
|
pid_t tgid = task_tgid_nr_ns(current, ns);
|
|
pid_t pid = task_pid_nr_ns(current, ns);
|
|
char *name;
|
|
|
|
if (!pid)
|
|
return ERR_PTR(-ENOENT);
|
|
name = kmalloc(10 + 6 + 10 + 1, dentry ? GFP_KERNEL : GFP_ATOMIC);
|
|
if (unlikely(!name))
|
|
return dentry ? ERR_PTR(-ENOMEM) : ERR_PTR(-ECHILD);
|
|
sprintf(name, "%u/task/%u", tgid, pid);
|
|
set_delayed_call(done, kfree_link, name);
|
|
return name;
|
|
}
|
|
|
|
static const struct inode_operations proc_thread_self_inode_operations = {
|
|
.get_link = proc_thread_self_get_link,
|
|
};
|
|
|
|
static unsigned thread_self_inum __ro_after_init;
|
|
|
|
int proc_setup_thread_self(struct super_block *s)
|
|
{
|
|
struct inode *root_inode = d_inode(s->s_root);
|
|
struct proc_fs_info *fs_info = proc_sb_info(s);
|
|
struct dentry *thread_self;
|
|
int ret = -ENOMEM;
|
|
|
|
inode_lock(root_inode);
|
|
thread_self = d_alloc_name(s->s_root, "thread-self");
|
|
if (thread_self) {
|
|
struct inode *inode = new_inode(s);
|
|
if (inode) {
|
|
inode->i_ino = thread_self_inum;
|
|
inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode);
|
|
inode->i_mode = S_IFLNK | S_IRWXUGO;
|
|
inode->i_uid = GLOBAL_ROOT_UID;
|
|
inode->i_gid = GLOBAL_ROOT_GID;
|
|
inode->i_op = &proc_thread_self_inode_operations;
|
|
d_add(thread_self, inode);
|
|
ret = 0;
|
|
} else {
|
|
dput(thread_self);
|
|
}
|
|
}
|
|
inode_unlock(root_inode);
|
|
|
|
if (ret)
|
|
pr_err("proc_fill_super: can't allocate /proc/thread-self\n");
|
|
else
|
|
fs_info->proc_thread_self = thread_self;
|
|
|
|
return ret;
|
|
}
|
|
|
|
void __init proc_thread_self_init(void)
|
|
{
|
|
proc_alloc_inum(&thread_self_inum);
|
|
}
|