mirror of
https://github.com/adulau/aha.git
synced 2024-12-28 11:46:19 +00:00
c2319540cd
proc_kill_inodes() can clear ->i_fop in the middle of vfs_readdir resulting in NULL dereference during "file->f_op->readdir(file, buf, filler)". The solution is to remove proc_kill_inodes() completely: a) we don't have tricky modules implementing their tricky readdir hooks which could keeping this revoke from hell. b) In a situation when module is gone but PDE still alive, standard readdir will return only "." and "..", because pde->next was cleared by remove_proc_entry(). c) the race proc_kill_inode() destined to prevent is not completely fixed, just race window made smaller, because vfs_readdir() is run without sb_lock held and without file_list_lock held. Effectively, ->i_fop is cleared at random moment, which can't fix properly anything. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018 printing eip: c1061205 *pdpt = 0000000005b22001 *pde = 0000000000000000 Oops: 0000 [#1] PREEMPT SMP Modules linked in: foo af_packet ipv6 cpufreq_ondemand loop serio_raw sr_mod k8temp cdrom hwmon amd_rng Pid: 2033, comm: find Not tainted (2.6.24-rc1-b1d08ac064268d0ae2281e98bf5e82627e0f0c56 #2) EIP: 0060:[<c1061205>] EFLAGS: 00010246 CPU: 0 EIP is at vfs_readdir+0x47/0x74 EAX: c6b6a780 EBX: 00000000 ECX: c1061040 EDX: c5decf94 ESI: c6b6a780 EDI: fffffffe EBP: c9797c54 ESP: c5decf78 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process find (pid: 2033, ti=c5dec000 task=c64bba90 task.ti=c5dec000) Stack: c5decf94 c1061040 fffffff7 0805ffbc 00000000 c6b6a780 c1061295 0805ffbc 00000000 00000400 00000000 00000004 0805ffbc 4588eff4 c5dec000 c10026ba 00000004 0805ffbc 00000400 0805ffbc 4588eff4 bfdc6c70 000000dc 0000007b Call Trace: [<c1061040>] filldir64+0x0/0xc5 [<c1061295>] sys_getdents64+0x63/0xa5 [<c10026ba>] sysenter_past_esp+0x5f/0x85 ======================= Code: 49 83 78 18 00 74 43 8d 6b 74 bf fe ff ff ff 89 e8 e8 b8 c0 12 00 f6 83 2c 01 00 00 10 75 22 8b 5e 10 8b 4c 24 04 89 f0 8b 14 24 <ff> 53 18 f6 46 1a 04 89 c7 75 0b 8b 56 0c 8b 46 08 e8 c8 66 00 EIP: [<c1061205>] vfs_readdir+0x47/0x74 SS:ESP 0068:c5decf78 hch: "Nice, getting rid of this is a very good step formwards. Unfortunately we have another copy of this junk in security/selinux/selinuxfs.c:sel_remove_entries() which would need the same treatment." Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru> Acked-by: Christoph Hellwig <hch@infradead.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: James Morris <jmorris@namei.org> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
238 lines
5.1 KiB
C
238 lines
5.1 KiB
C
/*
|
|
* linux/fs/proc/root.c
|
|
*
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
*
|
|
* proc root directory handling functions
|
|
*/
|
|
|
|
#include <asm/uaccess.h>
|
|
|
|
#include <linux/errno.h>
|
|
#include <linux/time.h>
|
|
#include <linux/proc_fs.h>
|
|
#include <linux/stat.h>
|
|
#include <linux/init.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/module.h>
|
|
#include <linux/bitops.h>
|
|
#include <linux/smp_lock.h>
|
|
#include <linux/mount.h>
|
|
#include <linux/pid_namespace.h>
|
|
|
|
#include "internal.h"
|
|
|
|
struct proc_dir_entry *proc_bus, *proc_root_fs, *proc_root_driver;
|
|
|
|
static int proc_test_super(struct super_block *sb, void *data)
|
|
{
|
|
return sb->s_fs_info == data;
|
|
}
|
|
|
|
static int proc_set_super(struct super_block *sb, void *data)
|
|
{
|
|
struct pid_namespace *ns;
|
|
|
|
ns = (struct pid_namespace *)data;
|
|
sb->s_fs_info = get_pid_ns(ns);
|
|
return set_anon_super(sb, NULL);
|
|
}
|
|
|
|
static int proc_get_sb(struct file_system_type *fs_type,
|
|
int flags, const char *dev_name, void *data, struct vfsmount *mnt)
|
|
{
|
|
int err;
|
|
struct super_block *sb;
|
|
struct pid_namespace *ns;
|
|
struct proc_inode *ei;
|
|
|
|
if (proc_mnt) {
|
|
/* Seed the root directory with a pid so it doesn't need
|
|
* to be special in base.c. I would do this earlier but
|
|
* the only task alive when /proc is mounted the first time
|
|
* is the init_task and it doesn't have any pids.
|
|
*/
|
|
ei = PROC_I(proc_mnt->mnt_sb->s_root->d_inode);
|
|
if (!ei->pid)
|
|
ei->pid = find_get_pid(1);
|
|
}
|
|
|
|
if (flags & MS_KERNMOUNT)
|
|
ns = (struct pid_namespace *)data;
|
|
else
|
|
ns = current->nsproxy->pid_ns;
|
|
|
|
sb = sget(fs_type, proc_test_super, proc_set_super, ns);
|
|
if (IS_ERR(sb))
|
|
return PTR_ERR(sb);
|
|
|
|
if (!sb->s_root) {
|
|
sb->s_flags = flags;
|
|
err = proc_fill_super(sb);
|
|
if (err) {
|
|
up_write(&sb->s_umount);
|
|
deactivate_super(sb);
|
|
return err;
|
|
}
|
|
|
|
ei = PROC_I(sb->s_root->d_inode);
|
|
if (!ei->pid) {
|
|
rcu_read_lock();
|
|
ei->pid = get_pid(find_pid_ns(1, ns));
|
|
rcu_read_unlock();
|
|
}
|
|
|
|
sb->s_flags |= MS_ACTIVE;
|
|
ns->proc_mnt = mnt;
|
|
}
|
|
|
|
return simple_set_mnt(mnt, sb);
|
|
}
|
|
|
|
static void proc_kill_sb(struct super_block *sb)
|
|
{
|
|
struct pid_namespace *ns;
|
|
|
|
ns = (struct pid_namespace *)sb->s_fs_info;
|
|
kill_anon_super(sb);
|
|
put_pid_ns(ns);
|
|
}
|
|
|
|
static struct file_system_type proc_fs_type = {
|
|
.name = "proc",
|
|
.get_sb = proc_get_sb,
|
|
.kill_sb = proc_kill_sb,
|
|
};
|
|
|
|
void __init proc_root_init(void)
|
|
{
|
|
int err = proc_init_inodecache();
|
|
if (err)
|
|
return;
|
|
err = register_filesystem(&proc_fs_type);
|
|
if (err)
|
|
return;
|
|
proc_mnt = kern_mount_data(&proc_fs_type, &init_pid_ns);
|
|
err = PTR_ERR(proc_mnt);
|
|
if (IS_ERR(proc_mnt)) {
|
|
unregister_filesystem(&proc_fs_type);
|
|
return;
|
|
}
|
|
|
|
proc_misc_init();
|
|
|
|
proc_net_init();
|
|
|
|
#ifdef CONFIG_SYSVIPC
|
|
proc_mkdir("sysvipc", NULL);
|
|
#endif
|
|
proc_root_fs = proc_mkdir("fs", NULL);
|
|
proc_root_driver = proc_mkdir("driver", NULL);
|
|
proc_mkdir("fs/nfsd", NULL); /* somewhere for the nfsd filesystem to be mounted */
|
|
#if defined(CONFIG_SUN_OPENPROMFS) || defined(CONFIG_SUN_OPENPROMFS_MODULE)
|
|
/* just give it a mountpoint */
|
|
proc_mkdir("openprom", NULL);
|
|
#endif
|
|
proc_tty_init();
|
|
#ifdef CONFIG_PROC_DEVICETREE
|
|
proc_device_tree_init();
|
|
#endif
|
|
proc_bus = proc_mkdir("bus", NULL);
|
|
proc_sys_init();
|
|
}
|
|
|
|
static int proc_root_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat
|
|
)
|
|
{
|
|
generic_fillattr(dentry->d_inode, stat);
|
|
stat->nlink = proc_root.nlink + nr_processes();
|
|
return 0;
|
|
}
|
|
|
|
static struct dentry *proc_root_lookup(struct inode * dir, struct dentry * dentry, struct nameidata *nd)
|
|
{
|
|
if (!proc_lookup(dir, dentry, nd)) {
|
|
return NULL;
|
|
}
|
|
|
|
return proc_pid_lookup(dir, dentry, nd);
|
|
}
|
|
|
|
static int proc_root_readdir(struct file * filp,
|
|
void * dirent, filldir_t filldir)
|
|
{
|
|
unsigned int nr = filp->f_pos;
|
|
int ret;
|
|
|
|
lock_kernel();
|
|
|
|
if (nr < FIRST_PROCESS_ENTRY) {
|
|
int error = proc_readdir(filp, dirent, filldir);
|
|
if (error <= 0) {
|
|
unlock_kernel();
|
|
return error;
|
|
}
|
|
filp->f_pos = FIRST_PROCESS_ENTRY;
|
|
}
|
|
unlock_kernel();
|
|
|
|
ret = proc_pid_readdir(filp, dirent, filldir);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* The root /proc directory is special, as it has the
|
|
* <pid> directories. Thus we don't use the generic
|
|
* directory handling functions for that..
|
|
*/
|
|
static const struct file_operations proc_root_operations = {
|
|
.read = generic_read_dir,
|
|
.readdir = proc_root_readdir,
|
|
};
|
|
|
|
/*
|
|
* proc root can do almost nothing..
|
|
*/
|
|
static const struct inode_operations proc_root_inode_operations = {
|
|
.lookup = proc_root_lookup,
|
|
.getattr = proc_root_getattr,
|
|
};
|
|
|
|
/*
|
|
* This is the root "inode" in the /proc tree..
|
|
*/
|
|
struct proc_dir_entry proc_root = {
|
|
.low_ino = PROC_ROOT_INO,
|
|
.namelen = 5,
|
|
.name = "/proc",
|
|
.mode = S_IFDIR | S_IRUGO | S_IXUGO,
|
|
.nlink = 2,
|
|
.proc_iops = &proc_root_inode_operations,
|
|
.proc_fops = &proc_root_operations,
|
|
.parent = &proc_root,
|
|
};
|
|
|
|
int pid_ns_prepare_proc(struct pid_namespace *ns)
|
|
{
|
|
struct vfsmount *mnt;
|
|
|
|
mnt = kern_mount_data(&proc_fs_type, ns);
|
|
if (IS_ERR(mnt))
|
|
return PTR_ERR(mnt);
|
|
|
|
return 0;
|
|
}
|
|
|
|
void pid_ns_release_proc(struct pid_namespace *ns)
|
|
{
|
|
mntput(ns->proc_mnt);
|
|
}
|
|
|
|
EXPORT_SYMBOL(proc_symlink);
|
|
EXPORT_SYMBOL(proc_mkdir);
|
|
EXPORT_SYMBOL(create_proc_entry);
|
|
EXPORT_SYMBOL(remove_proc_entry);
|
|
EXPORT_SYMBOL(proc_root);
|
|
EXPORT_SYMBOL(proc_root_fs);
|
|
EXPORT_SYMBOL(proc_bus);
|
|
EXPORT_SYMBOL(proc_root_driver);
|