Bug 265311
| Summary: | silly mount() arguments with MNT_UPDATE and MNT_UNION can cause kernel page-fault | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Robert Morris <rtm> |
| Component: | kern | Assignee: | Konstantin Belousov <kib> |
| Status: | Closed FIXED | ||
| Severity: | Affects Some People | CC: | emaste, mckusick |
| Priority: | --- | ||
| Version: | CURRENT | ||
| Hardware: | Any | ||
| OS: | Any | ||
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=21ccdb4119afdfdfeaa80e9c8514171c65b35862 commit 21ccdb4119afdfdfeaa80e9c8514171c65b35862 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-05-15 09:54:49 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-05-16 01:00:26 +0000 vfs_domount_update(): postpone setting MNT_UNION until VFS_MOUNT() is done The file system that handles updating the mount point might do lookups during the update, in which case it could find the flag MNT_UNION set on the mp while mount point is still not updated. In particular, the rootvp->v_mount->mnt_vnodecovered is not yet set. Delay setting MNT_UNION until the mount is performed. PR: 265311 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: mckusick, olce Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D45208 sys/kern/vfs_mount.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=625a622cc6511e250470ee3f84a8553c7c734de6 commit 625a622cc6511e250470ee3f84a8553c7c734de6 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-05-15 09:54:49 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-05-23 00:26:43 +0000 vfs_domount_update(): postpone setting MNT_UNION until VFS_MOUNT() is done PR: 265311 (cherry picked from commit 21ccdb4119afdfdfeaa80e9c8514171c65b35862) sys/kern/vfs_mount.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2a2f2f59132ad365203c5deb8ed16202a78585c1 commit 2a2f2f59132ad365203c5deb8ed16202a78585c1 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2024-05-15 09:54:49 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-05-22 23:47:23 +0000 vfs_domount_update(): postpone setting MNT_UNION until VFS_MOUNT() is done PR: 265311 (cherry picked from commit 21ccdb4119afdfdfeaa80e9c8514171c65b35862) sys/kern/vfs_mount.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) |
This user program causes a kernel page fault in CURRENT: char data[128]; memset(data, 0, sizeof(data)); *(char **)data = "doesnotexist"; mount("ffs", "/", 0x10020, data); 0x10020 is MNT_UPDATE and MNT_UNION. The crash happens because the argument to VREF is zero in this code from vfs_lookup(): if ((error == ENOENT) && (dp->v_vflag & VV_ROOT) && (dp->v_mount != NULL) && (dp->v_mount->mnt_flag & MNT_UNION)) { tdp = dp; dp = dp->v_mount->mnt_vnodecovered; VREF(dp); panic: Fatal page fault at 0xffffffc0003934f4: 0x000000000001ac ... panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1a4 do_trap_supervisor() at do_trap_supervisor+0x76 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval = 0x1ac refcount_acquire_if_gt() at refcount_acquire_if_gt+0xe refcount_acquire_if_not_zero() at refcount_acquire_if_not_zero+0xc vget_prep() at vget_prep+0x14 vref() at vref+0x10 vfs_lookup() at vfs_lookup+0x374 namei() at namei+0x17e ffs_mount() at ffs_mount+0x2dc vfs_domount_update() at vfs_domount_update+0x1fa vfs_domount() at vfs_domount+0x230 vfs_donmount() at vfs_donmount+0x742 kernel_mount() at kernel_mount+0x4e ffs_cmount() at ffs_cmount+0x60 sys_mount() at sys_mount+0x17e syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xea cpu_exception_handler_user() at cpu_exception_handler_user+0x72