On Thu, Jun 13, 2019 at 10:47:28AM +0200, Miklos Szeredi wrote:
> On Wed, Jun 12, 2019 at 11:43:13AM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> >
> > sys_fsmount() needs to take a reference to the new mount when adding it
> > to the anonymous mount namespace. Otherwise the filesystem can be
> > unmounted while it's still in use, as found by syzkaller.
>
> So it needs one count for the file (which dentry_open() obtains) and one for the
> attachment into the anonymous namespace. The latter one is dropped at cleanup
> time, so your patch appears to be correct at getting that ref.
Yes.
>
> I wonder why such a blatant use-after-free was missed in normal testing. RCU
> delayed freeing, I guess?
It's because mount freeing is delayed by task_work_add(), so normally the refcnt
would be dropped to -1 when the file is closed without problems. The problems
only showed up if you took another reference, e.g. by fchdir().
>
> How about this additional sanity checking patch?
Seems like a good idea. Without my fix, the WARNING is triggered by the
following program (no fchdir() needed):
int main(void)
{
int fs;
fs = syscall(__NR_fsopen, "ramfs", 0);
syscall(__NR_fsconfig, fs, 6, 0, 0, 0);
syscall(__NR_fsmount, fs, 0, 0);
}
Can you send it as a formal patch?
- Eric
