Re: BUG_ON(nd->inode != parent->d_inode);

From: Eric W. Biederman
Date: Sat Mar 09 2013 - 03:28:40 EST

Next message: Eric W. Biederman: "Re: [nsproxy] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024"
Previous message: Ingo Molnar: "Re: [ANNOUNCE] 3.9-rc1-nohz1"
In reply to: Dave Jones: "Re: BUG_ON(nd->inode != parent->d_inode);"
Next in thread: Dave Jones: "Re: BUG_ON(nd->inode != parent->d_inode);"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave Jones <davej@xxxxxxxxxx> writes:

> On Fri, Mar 08, 2013 at 07:38:33PM -0800, Eric W. Biederman wrote:
> > Dave Jones <davej@xxxxxxxxxx> writes:
> >
> > > On Fri, Mar 08, 2013 at 07:16:09PM -0800, Linus Torvalds wrote:
> > > > Goodie. Your bug reports gave me heartburn. But it sounds like we have an
> > > > angle on all of the ones you've seen now?
> > > >
> > > > Or have I forgotten about some case?
> > >
> > > To be honest I've lost track of the whole collection.
> > > Let me repull your latest tree, and see what falls out.
> > > (I'll turn off CONFIG_USER_NS for now too until that gets fixed)
> >
> > It was CONFIG_UTS_NS that tripped you.
> >
> > Since I can trigger this with /proc/self/ns/mnt/a you are going to be
> > able to compile this one out.
>
> fwiw, the other namespace procfs files look like they have the same bug
>
> I just triggered it again on /proc/571/task/571/ns/net

Yep same code.

I will do a proper submission of this after I have slept. But
here is the fix.

From: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Date: Sat, 9 Mar 2013 00:14:45 -0800
Subject: [PATCH] proc: Use nd_jump_link in proc_ns_follow_link

Update proc_ns_follow_link to use nd_jump_link instead of just
manually updating nd.path.dentry.

This fixes the BUG_ON(nd->inode != parent->d_inode) reported by Dave
Jones and reproduced trivially with mkdir /proc/self/ns/uts/a.

Sigh it looks like the VFS change to require use of nd_jump_link
happend while proc_ns_follow_link was baking and since the common case
of proc_ns_follow_link continued to work without problems the need for
making this change was overlooked.

Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
---
fs/proc/namespaces.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c
index b7a4719..66b51c0 100644
--- a/fs/proc/namespaces.c
+++ b/fs/proc/namespaces.c
@@ -118,7 +118,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd)
struct super_block *sb = inode->i_sb;
struct proc_inode *ei = PROC_I(inode);
struct task_struct *task;
- struct dentry *ns_dentry;
+ struct path ns_path;
void *error = ERR_PTR(-EACCES);

task = get_proc_task(inode);
@@ -128,14 +128,14 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd)
if (!ptrace_may_access(task, PTRACE_MODE_READ))
goto out_put_task;

- ns_dentry = proc_ns_get_dentry(sb, task, ei->ns_ops);
- if (IS_ERR(ns_dentry)) {
- error = ERR_CAST(ns_dentry);
+ ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns_ops);
+ if (IS_ERR(ns_path.dentry)) {
+ error = ERR_CAST(ns_path.dentry);
goto out_put_task;
}

- dput(nd->path.dentry);
- nd->path.dentry = ns_dentry;
+ ns_path.mnt = mntget(nd->path.mnt);
+ nd_jump_link(nd, &ns_path);
error = NULL;

out_put_task:
--
1.7.5.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "Re: [nsproxy] BUG: unable to handle kernel NULL pointer dereference at 0000000000000024"
Previous message: Ingo Molnar: "Re: [ANNOUNCE] 3.9-rc1-nohz1"
In reply to: Dave Jones: "Re: BUG_ON(nd->inode != parent->d_inode);"
Next in thread: Dave Jones: "Re: BUG_ON(nd->inode != parent->d_inode);"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]