From 1dd9bc08cf1420d466dd8dcfcc233777e61ca5d2 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 21 Aug 2019 22:16:33 -0700 Subject: [PATCH 1/4] vfs: set fs_context::user_ns for reconfigure fs_context::user_ns is used by fuse_parse_param(), even during remount, so it needs to be set to the existing value for reconfigure. Reproducer: #include #include int main() { char opts[128]; int fd = open("/dev/fuse", O_RDWR); sprintf(opts, "fd=%d,rootmode=040000,user_id=0,group_id=0", fd); mkdir("mnt", 0777); mount("foo", "mnt", "fuse.foo", 0, opts); mount("foo", "mnt", "fuse.foo", MS_REMOUNT, opts); } Crash: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 0 PID: 129 Comm: syz_make_kuid Not tainted 5.3.0-rc5-next-20190821 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014 RIP: 0010:map_id_range_down+0xb/0xc0 kernel/user_namespace.c:291 [...] Call Trace: map_id_down kernel/user_namespace.c:312 [inline] make_kuid+0xe/0x10 kernel/user_namespace.c:389 fuse_parse_param+0x116/0x210 fs/fuse/inode.c:523 vfs_parse_fs_param+0xdb/0x1b0 fs/fs_context.c:145 vfs_parse_fs_string+0x6a/0xa0 fs/fs_context.c:188 generic_parse_monolithic+0x85/0xc0 fs/fs_context.c:228 parse_monolithic_mount_data+0x1b/0x20 fs/fs_context.c:708 do_remount fs/namespace.c:2525 [inline] do_mount+0x39a/0xa60 fs/namespace.c:3107 ksys_mount+0x7d/0xd0 fs/namespace.c:3325 __do_sys_mount fs/namespace.c:3339 [inline] __se_sys_mount fs/namespace.c:3336 [inline] __x64_sys_mount+0x20/0x30 fs/namespace.c:3336 do_syscall_64+0x4a/0x1a0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Reported-by: syzbot+7d6a57304857423318a5@syzkaller.appspotmail.com Fixes: 408cbe695350 ("vfs: Convert fuse to use the new mount API") Cc: David Howells Cc: Miklos Szeredi Signed-off-by: Eric Biggers Reviewed-by: David Howells Signed-off-by: Al Viro --- fs/fs_context.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/fs_context.c b/fs/fs_context.c index 103643c68e3f..87c2c9687d90 100644 --- a/fs/fs_context.c +++ b/fs/fs_context.c @@ -279,10 +279,8 @@ static struct fs_context *alloc_fs_context(struct file_system_type *fs_type, fc->user_ns = get_user_ns(reference->d_sb->s_user_ns); break; case FS_CONTEXT_FOR_RECONFIGURE: - /* We don't pin any namespaces as the superblock's - * subscriptions cannot be changed at this point. - */ atomic_inc(&reference->d_sb->s_active); + fc->user_ns = get_user_ns(reference->d_sb->s_user_ns); fc->root = dget(reference); break; } From 533770cc0ae84890624dc129609f3d75855c8982 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 3 Sep 2019 19:05:48 -0400 Subject: [PATCH 2/4] new helper: get_tree_keyed() For vfs_get_keyed_super users. Signed-off-by: Al Viro --- fs/nfsd/nfsctl.c | 3 +-- fs/proc/root.c | 3 +-- fs/super.c | 10 ++++++++++ include/linux/fs_context.h | 7 ++++++- ipc/mqueue.c | 3 +-- net/sunrpc/rpc_pipe.c | 3 +-- 6 files changed, 20 insertions(+), 9 deletions(-) diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c index 13c548733860..695223394985 100644 --- a/fs/nfsd/nfsctl.c +++ b/fs/nfsd/nfsctl.c @@ -1386,8 +1386,7 @@ static int nfsd_fill_super(struct super_block *sb, struct fs_context *fc) static int nfsd_fs_get_tree(struct fs_context *fc) { - fc->s_fs_info = get_net(fc->net_ns); - return vfs_get_super(fc, vfs_get_keyed_super, nfsd_fill_super); + return get_tree_keyed(fc, nfsd_fill_super, get_net(fc->net_ns)); } static void nfsd_fs_free_fc(struct fs_context *fc) diff --git a/fs/proc/root.c b/fs/proc/root.c index 33f72d1b92cc..0b7c8dffc9ae 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -157,8 +157,7 @@ static int proc_get_tree(struct fs_context *fc) { struct proc_fs_context *ctx = fc->fs_private; - fc->s_fs_info = ctx->pid_ns; - return vfs_get_super(fc, vfs_get_keyed_super, proc_fill_super); + return get_tree_keyed(fc, proc_fill_super, ctx->pid_ns); } static void proc_fs_context_free(struct fs_context *fc) diff --git a/fs/super.c b/fs/super.c index 5960578a4076..0220def9baba 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1211,6 +1211,16 @@ int get_tree_single(struct fs_context *fc, } EXPORT_SYMBOL(get_tree_single); +int get_tree_keyed(struct fs_context *fc, + int (*fill_super)(struct super_block *sb, + struct fs_context *fc), + void *key) +{ + fc->s_fs_info = key; + return vfs_get_super(fc, vfs_get_keyed_super, fill_super); +} +EXPORT_SYMBOL(get_tree_keyed); + #ifdef CONFIG_BLOCK static int set_bdev_super(struct super_block *s, void *data) { diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h index 7c6fe3d47fa6..aad5e68d58e2 100644 --- a/include/linux/fs_context.h +++ b/include/linux/fs_context.h @@ -136,7 +136,7 @@ extern int vfs_get_tree(struct fs_context *fc); extern void put_fs_context(struct fs_context *fc); /* - * sget() wrapper to be called from the ->get_tree() op. + * sget() wrappers to be called from the ->get_tree() op. */ enum vfs_get_super_keying { vfs_get_single_super, /* Only one such superblock may exist */ @@ -147,12 +147,17 @@ extern int vfs_get_super(struct fs_context *fc, enum vfs_get_super_keying keying, int (*fill_super)(struct super_block *sb, struct fs_context *fc)); + extern int get_tree_nodev(struct fs_context *fc, int (*fill_super)(struct super_block *sb, struct fs_context *fc)); extern int get_tree_single(struct fs_context *fc, int (*fill_super)(struct super_block *sb, struct fs_context *fc)); +extern int get_tree_keyed(struct fs_context *fc, + int (*fill_super)(struct super_block *sb, + struct fs_context *fc), + void *key); extern const struct file_operations fscontext_fops; diff --git a/ipc/mqueue.c b/ipc/mqueue.c index 7a5a8edc3de3..7c15729d9d25 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -364,8 +364,7 @@ static int mqueue_get_tree(struct fs_context *fc) { struct mqueue_fs_context *ctx = fc->fs_private; - fc->s_fs_info = ctx->ipc_ns; - return vfs_get_super(fc, vfs_get_keyed_super, mqueue_fill_super); + return get_tree_keyed(fc, mqueue_fill_super, ctx->ipc_ns); } static void mqueue_fs_context_free(struct fs_context *fc) diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c index 748bac601e47..b71a39ded930 100644 --- a/net/sunrpc/rpc_pipe.c +++ b/net/sunrpc/rpc_pipe.c @@ -1416,8 +1416,7 @@ EXPORT_SYMBOL_GPL(gssd_running); static int rpc_fs_get_tree(struct fs_context *fc) { - fc->s_fs_info = get_net(fc->net_ns); - return vfs_get_super(fc, vfs_get_keyed_super, rpc_fill_super); + return get_tree_keyed(fc, rpc_fill_super, get_net(fc->net_ns)); } static void rpc_fs_free_fc(struct fs_context *fc) From fe62c3a4e17ddfe672710425ab6eba2ba7203526 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 27 Mar 2019 14:15:16 +0000 Subject: [PATCH 3/4] vfs: Create fs_context-aware mount_bdev() replacement Create a function, get_tree_bdev(), that is fs_context-aware and a ->get_tree() counterpart of mount_bdev(). It caches the block device pointer in the fs_context struct so that this information can be passed into sget_fc()'s test and set functions. Signed-off-by: David Howells cc: Jens Axboe cc: linux-block@vger.kernel.org Signed-off-by: Al Viro --- fs/super.c | 94 ++++++++++++++++++++++++++++++++++++++ include/linux/fs_context.h | 5 ++ 2 files changed, 99 insertions(+) diff --git a/fs/super.c b/fs/super.c index 0220def9baba..da223b4cfbca 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1222,6 +1222,7 @@ int get_tree_keyed(struct fs_context *fc, EXPORT_SYMBOL(get_tree_keyed); #ifdef CONFIG_BLOCK + static int set_bdev_super(struct super_block *s, void *data) { s->s_bdev = data; @@ -1231,6 +1232,99 @@ static int set_bdev_super(struct super_block *s, void *data) return 0; } +static int set_bdev_super_fc(struct super_block *s, struct fs_context *fc) +{ + return set_bdev_super(s, fc->sget_key); +} + +static int test_bdev_super_fc(struct super_block *s, struct fs_context *fc) +{ + return s->s_bdev == fc->sget_key; +} + +/** + * get_tree_bdev - Get a superblock based on a single block device + * @fc: The filesystem context holding the parameters + * @fill_super: Helper to initialise a new superblock + */ +int get_tree_bdev(struct fs_context *fc, + int (*fill_super)(struct super_block *, + struct fs_context *)) +{ + struct block_device *bdev; + struct super_block *s; + fmode_t mode = FMODE_READ | FMODE_EXCL; + int error = 0; + + if (!(fc->sb_flags & SB_RDONLY)) + mode |= FMODE_WRITE; + + if (!fc->source) + return invalf(fc, "No source specified"); + + bdev = blkdev_get_by_path(fc->source, mode, fc->fs_type); + if (IS_ERR(bdev)) { + errorf(fc, "%s: Can't open blockdev", fc->source); + return PTR_ERR(bdev); + } + + /* Once the superblock is inserted into the list by sget_fc(), s_umount + * will protect the lockfs code from trying to start a snapshot while + * we are mounting + */ + mutex_lock(&bdev->bd_fsfreeze_mutex); + if (bdev->bd_fsfreeze_count > 0) { + mutex_unlock(&bdev->bd_fsfreeze_mutex); + warnf(fc, "%pg: Can't mount, blockdev is frozen", bdev); + return -EBUSY; + } + + fc->sb_flags |= SB_NOSEC; + fc->sget_key = bdev; + s = sget_fc(fc, test_bdev_super_fc, set_bdev_super_fc); + mutex_unlock(&bdev->bd_fsfreeze_mutex); + if (IS_ERR(s)) + return PTR_ERR(s); + + if (s->s_root) { + /* Don't summarily change the RO/RW state. */ + if ((fc->sb_flags ^ s->s_flags) & SB_RDONLY) { + warnf(fc, "%pg: Can't mount, would change RO state", bdev); + deactivate_locked_super(s); + blkdev_put(bdev, mode); + return -EBUSY; + } + + /* + * s_umount nests inside bd_mutex during + * __invalidate_device(). blkdev_put() acquires + * bd_mutex and can't be called under s_umount. Drop + * s_umount temporarily. This is safe as we're + * holding an active reference. + */ + up_write(&s->s_umount); + blkdev_put(bdev, mode); + down_write(&s->s_umount); + } else { + s->s_mode = mode; + snprintf(s->s_id, sizeof(s->s_id), "%pg", bdev); + sb_set_blocksize(s, block_size(bdev)); + error = fill_super(s, fc); + if (error) { + deactivate_locked_super(s); + return error; + } + + s->s_flags |= SB_ACTIVE; + bdev->bd_super = s; + } + + BUG_ON(fc->root); + fc->root = dget(s->s_root); + return 0; +} +EXPORT_SYMBOL(get_tree_bdev); + static int test_bdev_super(struct super_block *s, void *data) { return (void *)s->s_bdev == data; diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h index aad5e68d58e2..84a5eaa09f19 100644 --- a/include/linux/fs_context.h +++ b/include/linux/fs_context.h @@ -88,6 +88,7 @@ struct fs_context { struct mutex uapi_mutex; /* Userspace access mutex */ struct file_system_type *fs_type; void *fs_private; /* The filesystem's context */ + void *sget_key; struct dentry *root; /* The root and superblock */ struct user_namespace *user_ns; /* The user namespace for this mount */ struct net *net_ns; /* The network namespace for this mount */ @@ -159,6 +160,10 @@ extern int get_tree_keyed(struct fs_context *fc, struct fs_context *fc), void *key); +extern int get_tree_bdev(struct fs_context *fc, + int (*fill_super)(struct super_block *sb, + struct fs_context *fc)); + extern const struct file_operations fscontext_fops; /* From 0f071004109d9c8de7023b9a64fa2ba3fa87cbed Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 25 Mar 2019 16:38:31 +0000 Subject: [PATCH 4/4] mtd: Provide fs_context-aware mount_mtd() replacement Provide a function, get_tree_mtd(), to replace mount_mtd(), using an fs_context struct to hold the parameters. Signed-off-by: David Howells cc: David Woodhouse cc: Brian Norris cc: Boris Brezillon cc: Marek Vasut cc: Richard Weinberger cc: linux-mtd@lists.infradead.org Signed-off-by: Al Viro --- drivers/mtd/mtdcore.h | 1 + drivers/mtd/mtdsuper.c | 179 +++++++++++++++++++++++++++++++++++++- include/linux/mtd/super.h | 3 + 3 files changed, 181 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/mtdcore.h b/drivers/mtd/mtdcore.h index b31c868019ad..b5eefeabf310 100644 --- a/drivers/mtd/mtdcore.h +++ b/drivers/mtd/mtdcore.h @@ -5,6 +5,7 @@ */ extern struct mutex mtd_table_mutex; +extern struct backing_dev_info *mtd_bdi; struct mtd_info *__mtd_next_device(int i); int __must_check add_mtd_device(struct mtd_info *mtd); diff --git a/drivers/mtd/mtdsuper.c b/drivers/mtd/mtdsuper.c index 4f042a3653ce..3f9a3b7b12c5 100644 --- a/drivers/mtd/mtdsuper.c +++ b/drivers/mtd/mtdsuper.c @@ -15,6 +15,183 @@ #include #include #include +#include +#include "mtdcore.h" + +/* + * compare superblocks to see if they're equivalent + * - they are if the underlying MTD device is the same + */ +static int mtd_test_super(struct super_block *sb, struct fs_context *fc) +{ + struct mtd_info *mtd = fc->sget_key; + + if (sb->s_mtd == fc->sget_key) { + pr_debug("MTDSB: Match on device %d (\"%s\")\n", + mtd->index, mtd->name); + return 1; + } + + pr_debug("MTDSB: No match, device %d (\"%s\"), device %d (\"%s\")\n", + sb->s_mtd->index, sb->s_mtd->name, mtd->index, mtd->name); + return 0; +} + +/* + * mark the superblock by the MTD device it is using + * - set the device number to be the correct MTD block device for pesuperstence + * of NFS exports + */ +static int mtd_set_super(struct super_block *sb, struct fs_context *fc) +{ + sb->s_mtd = fc->sget_key; + sb->s_dev = MKDEV(MTD_BLOCK_MAJOR, sb->s_mtd->index); + sb->s_bdi = bdi_get(mtd_bdi); + return 0; +} + +/* + * get a superblock on an MTD-backed filesystem + */ +static int mtd_get_sb(struct fs_context *fc, + struct mtd_info *mtd, + int (*fill_super)(struct super_block *, + struct fs_context *)) +{ + struct super_block *sb; + int ret; + + fc->sget_key = mtd; + sb = sget_fc(fc, mtd_test_super, mtd_set_super); + if (IS_ERR(sb)) + return PTR_ERR(sb); + + if (sb->s_root) { + /* new mountpoint for an already mounted superblock */ + pr_debug("MTDSB: Device %d (\"%s\") is already mounted\n", + mtd->index, mtd->name); + put_mtd_device(mtd); + } else { + /* fresh new superblock */ + pr_debug("MTDSB: New superblock for device %d (\"%s\")\n", + mtd->index, mtd->name); + + ret = fill_super(sb, fc); + if (ret < 0) + goto error_sb; + + sb->s_flags |= SB_ACTIVE; + } + + BUG_ON(fc->root); + fc->root = dget(sb->s_root); + return 0; + +error_sb: + deactivate_locked_super(sb); + return ret; +} + +/* + * get a superblock on an MTD-backed filesystem by MTD device number + */ +static int mtd_get_sb_by_nr(struct fs_context *fc, int mtdnr, + int (*fill_super)(struct super_block *, + struct fs_context *)) +{ + struct mtd_info *mtd; + + mtd = get_mtd_device(NULL, mtdnr); + if (IS_ERR(mtd)) { + errorf(fc, "MTDSB: Device #%u doesn't appear to exist\n", mtdnr); + return PTR_ERR(mtd); + } + + return mtd_get_sb(fc, mtd, fill_super); +} + +/** + * get_tree_mtd - Get a superblock based on a single MTD device + * @fc: The filesystem context holding the parameters + * @fill_super: Helper to initialise a new superblock + */ +int get_tree_mtd(struct fs_context *fc, + int (*fill_super)(struct super_block *sb, + struct fs_context *fc)) +{ +#ifdef CONFIG_BLOCK + struct block_device *bdev; + int ret, major; +#endif + int mtdnr; + + if (!fc->source) + return invalf(fc, "No source specified"); + + pr_debug("MTDSB: dev_name \"%s\"\n", fc->source); + + /* the preferred way of mounting in future; especially when + * CONFIG_BLOCK=n - we specify the underlying MTD device by number or + * by name, so that we don't require block device support to be present + * in the kernel. + */ + if (fc->source[0] == 'm' && + fc->source[1] == 't' && + fc->source[2] == 'd') { + if (fc->source[3] == ':') { + struct mtd_info *mtd; + + /* mount by MTD device name */ + pr_debug("MTDSB: mtd:%%s, name \"%s\"\n", + fc->source + 4); + + mtd = get_mtd_device_nm(fc->source + 4); + if (!IS_ERR(mtd)) + return mtd_get_sb(fc, mtd, fill_super); + + errorf(fc, "MTD: MTD device with name \"%s\" not found", + fc->source + 4); + + } else if (isdigit(fc->source[3])) { + /* mount by MTD device number name */ + char *endptr; + + mtdnr = simple_strtoul(fc->source + 3, &endptr, 0); + if (!*endptr) { + /* It was a valid number */ + pr_debug("MTDSB: mtd%%d, mtdnr %d\n", mtdnr); + return mtd_get_sb_by_nr(fc, mtdnr, fill_super); + } + } + } + +#ifdef CONFIG_BLOCK + /* try the old way - the hack where we allowed users to mount + * /dev/mtdblock$(n) but didn't actually _use_ the blockdev + */ + bdev = lookup_bdev(fc->source); + if (IS_ERR(bdev)) { + ret = PTR_ERR(bdev); + errorf(fc, "MTD: Couldn't look up '%s': %d", fc->source, ret); + return ret; + } + pr_debug("MTDSB: lookup_bdev() returned 0\n"); + + major = MAJOR(bdev->bd_dev); + mtdnr = MINOR(bdev->bd_dev); + bdput(bdev); + + if (major == MTD_BLOCK_MAJOR) + return mtd_get_sb_by_nr(fc, mtdnr, fill_super); + +#endif /* CONFIG_BLOCK */ + + if (!(fc->sb_flags & SB_SILENT)) + errorf(fc, "MTD: Attempt to mount non-MTD device \"%s\"", + fc->source); + return -EINVAL; +} +EXPORT_SYMBOL_GPL(get_tree_mtd); /* * compare superblocks to see if they're equivalent @@ -35,8 +212,6 @@ static int get_sb_mtd_compare(struct super_block *sb, void *_mtd) return 0; } -extern struct backing_dev_info *mtd_bdi; - /* * mark the superblock by the MTD device it is using * - set the device number to be the correct MTD block device for pesuperstence diff --git a/include/linux/mtd/super.h b/include/linux/mtd/super.h index 056c9932c723..42db3f8e8136 100644 --- a/include/linux/mtd/super.h +++ b/include/linux/mtd/super.h @@ -14,6 +14,9 @@ #include #include +extern int get_tree_mtd(struct fs_context *fc, + int (*fill_super)(struct super_block *sb, + struct fs_context *fc)); extern struct dentry *mount_mtd(struct file_system_type *fs_type, int flags, const char *dev_name, void *data, int (*fill_super)(struct super_block *, void *, int));