From patchwork Fri Jan 17 15:17:06 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Brauner <christian.brauner@ubuntu.com>
X-Patchwork-Id: 1224886
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19;
	helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=ubuntu.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 47zl6c5qdfz9sSG;
	Sat, 18 Jan 2020 02:17:26 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1isTN8-0006G6-ND; Fri, 17 Jan 2020 15:17:18 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <christian.brauner@ubuntu.com>) id 1isTN3-0006Ft-A8
	for kernel-team@lists.ubuntu.com; Fri, 17 Jan 2020 15:17:13 +0000
Received: from ip5f5bd679.dynamic.kabel-deutschland.de ([95.91.214.121]
	helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <christian.brauner@ubuntu.com>)
	id 1isTN3-0006Od-0I; Fri, 17 Jan 2020 15:17:13 +0000
From: Christian Brauner <christian.brauner@ubuntu.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH v2] UBUNTU: SAUCE: shiftfs: prevent lower dentries from going
	negative during unlink
Date: Fri, 17 Jan 2020 16:17:06 +0100
Message-Id: <20200117151706.30559-1-christian.brauner@ubuntu.com>
X-Mailer: git-send-email 2.25.0
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: stgraber@ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1860041

All non-special files (For shiftfs this only includes fifos and - for
this case - unix sockets - since we don't allow character and block
devices to be created.) go through shiftfs_open() and have their dentry
pinned through this codepath preventing it from going negative. But
fifos don't use the shiftfs fops but rather use the pipefifo_fops which
means they do not go through shiftfs_open() and thus don't have their
dentry pinned that way. Thus, the lower dentries for such files can go
negative on unlink causing segfaults. The following C program can be
used to reproduce the crash:

 #include <stdio.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include <stdlib.h>

 int main(int argc, char *argv[])
 {
        struct stat stat;

        unlink("./bbb");

        int ret = mknod("./bbb", S_IFIFO|0666, 0);
        if (ret < 0)
                exit(1);

        int fd = open("./bbb", O_RDWR);
        if (fd < 0)
                exit(2);

        if (unlink("./bbb"))
                exit(4);

        fstat(fd, &stat);

        return 0;
 }

Similar to ecryptfs we need to dget() the lower dentry before calling
vfs_unlink() on it and dput() it afterwards.

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Link: https://travis-ci.community/t/arm64-ppc64le-segfaults/6158/3
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Sultan Alsawaf <sultan.alsawaf@canonical.com>
---
/* v1 */
Link: https://lists.ubuntu.com/archives/kernel-team/2020-January/106965.html

/* v2 */
- Christian Brauner <christian.brauner@ubuntu.com>:
  - add missing ; after dget(lowerd)
---
 fs/shiftfs.c | 2 ++
 1 file changed, 2 insertions(+)


base-commit: 5c6810aad94a79c86bee07cd19dba90b92f461b4

diff --git a/fs/shiftfs.c b/fs/shiftfs.c
index 04fba4689eb6..3623d02b061e 100644
--- a/fs/shiftfs.c
+++ b/fs/shiftfs.c
@@ -583,6 +583,7 @@ static int shiftfs_rm(struct inode *dir, struct dentry *dentry, bool rmdir)
 	int err;
 	const struct cred *oldcred;
 
+	dget(lowerd);
 	oldcred = shiftfs_override_creds(dentry->d_sb);
 	inode_lock_nested(loweri, I_MUTEX_PARENT);
 	if (rmdir)
@@ -602,6 +603,7 @@ static int shiftfs_rm(struct inode *dir, struct dentry *dentry, bool rmdir)
 	inode_unlock(loweri);
 
 	shiftfs_copyattr(loweri, dir);
+	dput(lowerd);
 
 	return err;
 }