• Eric W. Biederman's avatar
    proc: Use new_inode not new_inode_pseudo · ef1548ad
    Eric W. Biederman authored
    Recently syzbot reported that unmounting proc when there is an ongoing
    inotify watch on the root directory of proc could result in a use
    after free when the watch is removed after the unmount of proc
    when the watcher exits.
    
    Commit 69879c01 ("proc: Remove the now unnecessary internal mount
    of proc") made it easier to unmount proc and allowed syzbot to see the
    problem, but looking at the code it has been around for a long time.
    
    Looking at the code the fsnotify watch should have been removed by
    fsnotify_sb_delete in generic_shutdown_super.  Unfortunately the inode
    was allocated with new_inode_pseudo instead of new_inode so the inode
    was not on the sb->s_inodes list.  Which prevented
    fsnotify_unmount_inodes from finding the inode and removing the watch
    as well as made it so the "VFS: Busy inodes after unmount" warning
    could not find the inodes to warn about them.
    
    Make all of the inodes in proc visible to generic_shutdown_super,
    and fsnotify_sb_delete by using new_inode instead of new_inode_pseudo.
    The only functional difference is that new_inode places the inodes
    on the sb->s_inodes list.
    
    I wrote a small test program and I can verify that without changes it
    can trigger this issue, and by replacing new_inode_pseudo with
    new_inode the issues goes away.
    
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/000000000000d788c905a7dfa3f4@google.com
    Reported-by: syzbot+7d2debdcdb3cb93c1e5e@syzkaller.appspotmail.com
    Fixes: 0097875b ("proc: Implement /proc/thread-self to point at the directory of the current thread")
    Fixes: 021ada7d ("procfs: switch /proc/self away from proc_dir_entry")
    Fixes: 51f0885e ("vfs,proc: guarantee unique inodes in /proc")
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    ef1548ad
thread_self.c 1.85 KB