From patchwork Tue Jan 2 19:23:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steven Rostedt X-Patchwork-Id: 184437 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:6f82:b0:100:9c79:88ff with SMTP id tb2csp4640951dyb; Tue, 2 Jan 2024 11:22:23 -0800 (PST) X-Google-Smtp-Source: AGHT+IEa8XvEfdUwIggqK73Apj+9EXHPxG2E+P8fTxMeuxE9K6Mb+9ndO9xjpUCOi0y5xO3KqowR X-Received: by 2002:a17:902:ea07:b0:1d4:32dc:9e5d with SMTP id s7-20020a170902ea0700b001d432dc9e5dmr8080067plg.123.1704223343045; Tue, 02 Jan 2024 11:22:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704223343; cv=none; d=google.com; s=arc-20160816; b=0NPEr6nf36kODWLWvK3zlyjHAmaGNbH9HfpHij4VzgvWIRxwbvUCI3wKR6D4IKXvC5 zwXqUWafwJVf7oblg60vVMAV7ZSdgD4lGzvGM2rvH00P6Y0dnwr441TPqx+gDup/ObQy /MVMuoY6Zdrs/uodTQK4Sc9YNP366o31R4BsyEDL/oy7cN1MBwmXklAycc7qfsHfaMgx snID8iMZ4t6WqnN9GiFsp6CSkAwWiozYRczG0JugUkEYS68iyX6taHTRV8Hx4La+uunq VsU3fxoUH98qjxGjdRkqWO73zvza3Rlb3ZINNK0WvlPcJVcFHfnGb4SUDIAyt8o4Ppw4 k3cA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:subject:cc:to:from :date; bh=pto+tafHZtla9WgDwglsvhqMyNog0EBMe3ZquTL09JY=; fh=sAx3v3Km8G9H/cb+FD4m/z+XEp+4ebn6tFwpvmH7e8s=; b=bUg3N+OTevFYC3/prq+BNqWzW6udi18ICOv7qNsEeG+pzJeXdl5JNLre6E/0qfg7WK bLklxozxEZitJrL1e3daa3CNO/4AE5m7wVQX0LusJWDK0gQq3/AXh0jEMhoG51S2Vzl+ FoHIKuVlVsq6xw/vy+J9CJ7cFX2XUDZcDM3qw696IcOq76VJSFNUlMxShQ/HmEIvrFtA C4G+yIgkY+1dXYQuiKfdOzfKpW1rWq7GVUsQpB+nZAQMMbygnC6mFmSwuDSMBhp0DFFR lg6OJ2cG79tF8B9x9RGNXPevxxF74Uff/H+gRfNDrJ5Pwunr6HTBKQiiOcfyTLGqURoO nZvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-14765-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-14765-ouuuleilei=gmail.com@vger.kernel.org" Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id r1-20020a170902be0100b001d46f91899fsi12620672pls.176.2024.01.02.11.22.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jan 2024 11:22:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-14765-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel+bounces-14765-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-14765-ouuuleilei=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id CC5F12833C7 for ; Tue, 2 Jan 2024 19:22:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0D8BD15EA1; Tue, 2 Jan 2024 19:22:13 +0000 (UTC) X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9617015AD4; Tue, 2 Jan 2024 19:22:11 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4862CC433C8; Tue, 2 Jan 2024 19:22:10 +0000 (UTC) Date: Tue, 2 Jan 2024 14:23:11 -0500 From: Steven Rostedt To: LKML , Linux Trace Kernel Cc: Masami Hiramatsu , Mark Rutland , Mathieu Desnoyers , "Ubisectech Sirius" Subject: [PATCH] tracefs: Check for dentry->d_inode exists in set_gid() Message-ID: <20240102142311.5670813d@gandalf.local.home> X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1787007696050587549 X-GMAIL-MSGID: 1787007696050587549 From: "Steven Rostedt (Google)" If a getdents() is called on the tracefs directory but does not get all the files, it can leave a "cursor" dentry in the d_subdirs list of tracefs dentry. This cursor dentry does not have a d_inode for it. Before referencing tracefs_inode from the dentry, the d_inode must first be checked if it has content. If not, then it's not a tracefs_inode and can be ignored. The following caused a crash: #define getdents64(fd, dirp, count) syscall(SYS_getdents64, fd, dirp, count) #define BUF_SIZE 256 #define TDIR "/tmp/file0" int main(void) { char buf[BUF_SIZE]; int fd; int n; mkdir(TDIR, 0777); mount(NULL, TDIR, "tracefs", 0, NULL); fd = openat(AT_FDCWD, TDIR, O_RDONLY); n = getdents64(fd, buf, BUF_SIZE); ret = mount(NULL, TDIR, NULL, MS_NOSUID|MS_REMOUNT|MS_RELATIME|MS_LAZYTIME, "gid=1000"); return 0; } That's because the 256 BUF_SIZE was not big enough to read all the dentries of the tracefs file system and it left a "cursor" dentry in the subdirs of the tracefs root inode. Then on remounting with "gid=1000", it would cause an iteration of all dentries which hit: ti = get_tracefs(dentry->d_inode); if (ti && (ti->flags & TRACEFS_EVENT_INODE)) eventfs_update_gid(dentry, gid); Which crashed because of the dereference of the cursor dentry which had a NULL d_inode. Link: https://lore.kernel.org/all/20240102135637.3a21fb10@gandalf.local.home/ Cc: stable@vger.kernel.org Fixes: 7e8358edf503e ("eventfs: Fix file and directory uid and gid ownership") Reported-by: "Ubisectech Sirius" Signed-off-by: Steven Rostedt (Google) --- fs/tracefs/inode.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c index 62524b20964e..c29387a36bc8 100644 --- a/fs/tracefs/inode.c +++ b/fs/tracefs/inode.c @@ -219,10 +219,13 @@ static void set_gid(struct dentry *parent, kgid_t gid) change_gid(dentry, gid); - /* If this is the events directory, update that too */ - ti = get_tracefs(dentry->d_inode); - if (ti && (ti->flags & TRACEFS_EVENT_INODE)) - eventfs_update_gid(dentry, gid); + /* Note, getdents() can add a cursor dentry with no inode */ + if (dentry->d_inode) { + /* If this is the events directory, update that too */ + ti = get_tracefs(dentry->d_inode); + if (ti && (ti->flags & TRACEFS_EVENT_INODE)) + eventfs_update_gid(dentry, gid); + } if (!list_empty(&dentry->d_subdirs)) { spin_unlock(&this_parent->d_lock);