[RHEL7,COMMIT] ms/fs: Avoid userspace mounting anon_inodefs filesystem

Submitted by Konstantin Khorenko on Dec. 19, 2017, 11:03 a.m.


Message ID 201712191103.vBJB3WeV017358@finist_ce7.work
State New
Series "ms/fs: Avoid userspace mounting anon_inodefs filesystem"
Headers show

Commit Message

Konstantin Khorenko Dec. 19, 2017, 11:03 a.m.
The commit is pushed to "branch-rh7-3.10.0-693.11.1.vz7.39.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.1.vz7.39.7
commit 057c9fd670be52cbb90125b099f920365ef61cd5
Author: Jan Kara <jack@suse.cz>
Date:   Tue Dec 19 14:03:31 2017 +0300

    ms/fs: Avoid userspace mounting anon_inodefs filesystem
    Patchset description:
    Do not expose anon_inodefs to userspace
    anon_inodefs is special. It should only be mounted once by the kernel
    and should not be exposed to userspace directly, otherwise hard-to-debug
    memory corruptions and other problems may happen.
    This patch series prevents such problems.
    I suppose, there is no security impact here because anon_inodefs is not
    available in CTs and the non-root users on the host are unable to mount
    it as well.
    Still, the fuzzers like Syzkaller run into anon_inodefs-related issues
    quite often. So it is worth to include these fixes, in my opinion, at
    least to make kernel fuzz testing a bit easier.
    This patch description:
    anon_inodefs filesystem is a kernel internal filesystem userspace
    shouldn't mess with. Remove registration of it so userspace cannot
    even try to mount it (which would fail anyway because the filesystem is
    This fixes an oops triggered by trinity when it tried mounting
    anon_inodefs which overwrote anon_inode_inode pointer while other CPU
    has been in anon_inode_getfile() between ihold() and d_instantiate().
    Thus effectively creating dentry pointing to an inode without holding a
    reference to it.
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    ms commit: d6f2589ad561 ("fs: Avoid userspace mounting anon_inodefs
    Signed-off-by: Evgenii Shatokhin <eshatokhin@virtuozzo.com>
 fs/anon_inodes.c | 3 ---
 1 file changed, 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
index 24084732b1d0..4b4543b8b894 100644
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -177,9 +177,6 @@  static int __init anon_inode_init(void)
 	int error;
-	error = register_filesystem(&anon_inode_fs_type);
-	if (error)
-		goto err_exit;
 	anon_inode_mnt = kern_mount(&anon_inode_fs_type);
 	if (IS_ERR(anon_inode_mnt)) {
 		error = PTR_ERR(anon_inode_mnt);