From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jann Horn <jannh@google.com>,
Christian Brauner <brauner@kernel.org>,
Kees Cook <keescook@chromium.org>,
Sasha Levin <sashal@kernel.org>,
viro@zeniv.linux.org.uk, memxor@gmail.com, ast@kernel.org,
brouer@redhat.com, davemarchevsky@fb.com,
linux-fsdevel@vger.kernel.org
Subject: [PATCH AUTOSEL 6.1 07/21] fs: Use CHECK_DATA_CORRUPTION() when kernel bugs are detected
Date: Sat, 25 Feb 2023 22:42:42 -0500 [thread overview]
Message-ID: <20230226034256.771769-7-sashal@kernel.org> (raw)
In-Reply-To: <20230226034256.771769-1-sashal@kernel.org>
From: Jann Horn <jannh@google.com>
[ Upstream commit 47d586913f2abec4d240bae33417f537fda987ec ]
Currently, filp_close() and generic_shutdown_super() use printk() to log
messages when bugs are detected. This is problematic because infrastructure
like syzkaller has no idea that this message indicates a bug.
In addition, some people explicitly want their kernels to BUG() when kernel
data corruption has been detected (CONFIG_BUG_ON_DATA_CORRUPTION).
And finally, when generic_shutdown_super() detects remaining inodes on a
system without CONFIG_BUG_ON_DATA_CORRUPTION, it would be nice if later
accesses to a busy inode would at least crash somewhat cleanly rather than
walking through freed memory.
To address all three, use CHECK_DATA_CORRUPTION() when kernel bugs are
detected.
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/open.c | 5 +++--
fs/super.c | 21 +++++++++++++++++----
include/linux/poison.h | 3 +++
3 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/fs/open.c b/fs/open.c
index a81319b6177f6..7853deb6fcf47 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -1411,8 +1411,9 @@ int filp_close(struct file *filp, fl_owner_t id)
{
int retval = 0;
- if (!file_count(filp)) {
- printk(KERN_ERR "VFS: Close: file count is 0\n");
+ if (CHECK_DATA_CORRUPTION(file_count(filp) == 0,
+ "VFS: Close: file count is 0 (f_op=%ps)",
+ filp->f_op)) {
return 0;
}
diff --git a/fs/super.c b/fs/super.c
index 8d39e4f11cfa3..4f8a626a35cd9 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -491,10 +491,23 @@ void generic_shutdown_super(struct super_block *sb)
if (sop->put_super)
sop->put_super(sb);
- if (!list_empty(&sb->s_inodes)) {
- printk("VFS: Busy inodes after unmount of %s. "
- "Self-destruct in 5 seconds. Have a nice day...\n",
- sb->s_id);
+ if (CHECK_DATA_CORRUPTION(!list_empty(&sb->s_inodes),
+ "VFS: Busy inodes after unmount of %s (%s)",
+ sb->s_id, sb->s_type->name)) {
+ /*
+ * Adding a proper bailout path here would be hard, but
+ * we can at least make it more likely that a later
+ * iput_final() or such crashes cleanly.
+ */
+ struct inode *inode;
+
+ spin_lock(&sb->s_inode_list_lock);
+ list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
+ inode->i_op = VFS_PTR_POISON;
+ inode->i_sb = VFS_PTR_POISON;
+ inode->i_mapping = VFS_PTR_POISON;
+ }
+ spin_unlock(&sb->s_inode_list_lock);
}
}
spin_lock(&sb_lock);
diff --git a/include/linux/poison.h b/include/linux/poison.h
index 2d3249eb0e62d..0e8a1f2ceb2f1 100644
--- a/include/linux/poison.h
+++ b/include/linux/poison.h
@@ -84,4 +84,7 @@
/********** kernel/bpf/ **********/
#define BPF_PTR_POISON ((void *)(0xeB9FUL + POISON_POINTER_DELTA))
+/********** VFS **********/
+#define VFS_PTR_POISON ((void *)(0xF5 + POISON_POINTER_DELTA))
+
#endif
--
2.39.0
next parent reply other threads:[~2023-02-26 3:45 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230226034256.771769-1-sashal@kernel.org>
2023-02-26 3:42 ` Sasha Levin [this message]
2023-02-26 3:42 ` [PATCH AUTOSEL 6.1 12/21] fs/super.c: stop calling fscrypt_destroy_keyring() from __put_super() Sasha Levin
2023-02-26 4:07 ` Eric Biggers
2023-02-26 5:30 ` Eric Biggers
2023-02-26 19:24 ` Eric Biggers
2023-02-26 19:33 ` Slade Watkins
2023-02-27 14:18 ` Sasha Levin
2023-02-27 17:47 ` AUTOSEL process Eric Biggers
2023-02-27 18:06 ` Eric Biggers
2023-02-27 20:39 ` Sasha Levin
2023-02-27 21:38 ` Eric Biggers
2023-02-27 22:35 ` Sasha Levin
2023-02-27 22:59 ` Matthew Wilcox
2023-02-28 0:52 ` Sasha Levin
2023-02-28 1:25 ` Eric Biggers
2023-02-28 4:25 ` Willy Tarreau
2023-03-30 0:08 ` Eric Biggers
2023-03-30 14:05 ` Sasha Levin
2023-03-30 17:22 ` Eric Biggers
2023-03-30 17:50 ` Sasha Levin
2023-02-28 0:32 ` Eric Biggers
2023-02-28 1:53 ` Sasha Levin
2023-02-28 3:41 ` Eric Biggers
2023-02-28 10:41 ` Amir Goldstein
2023-02-28 11:28 ` Greg KH
2023-03-01 2:05 ` Slade Watkins
2023-03-01 5:13 ` Eric Biggers
2023-03-01 6:09 ` Greg KH
2023-03-01 7:22 ` Eric Biggers
2023-03-01 7:40 ` Willy Tarreau
2023-03-01 8:31 ` Eric Biggers
2023-03-01 8:43 ` Greg KH
2023-03-01 6:06 ` Greg KH
2023-03-01 7:05 ` Eric Biggers
2023-03-01 10:31 ` Thorsten Leemhuis
2023-03-01 13:26 ` Mark Brown
2023-02-28 17:03 ` Sasha Levin
2023-03-10 23:07 ` Eric Biggers
2023-03-11 13:41 ` Sasha Levin
2023-03-11 15:54 ` James Bottomley
2023-03-11 18:07 ` Sasha Levin
2023-03-12 19:03 ` Theodore Ts'o
2023-03-07 21:18 ` Pavel Machek
2023-03-07 21:45 ` Eric Biggers
2023-03-11 6:25 ` Matthew Wilcox
2023-03-11 8:11 ` Willy Tarreau
2023-03-11 11:45 ` Pavel Machek
2023-03-11 12:29 ` Greg KH
2023-03-21 12:41 ` Maciej W. Rozycki
2023-03-11 14:06 ` Sasha Levin
2023-03-11 16:16 ` Theodore Ts'o
2023-03-11 17:48 ` Eric Biggers
2023-03-11 18:26 ` Sasha Levin
2023-03-11 18:54 ` Eric Biggers
2023-03-11 19:01 ` Eric Biggers
2023-03-11 21:14 ` Sasha Levin
2023-03-12 8:04 ` Amir Goldstein
2023-03-12 16:00 ` Sasha Levin
2023-03-13 17:41 ` Greg KH
2023-03-13 18:54 ` Eric Biggers
2023-03-14 18:26 ` Greg KH
2023-03-11 20:17 ` Eric Biggers
2023-03-11 21:02 ` Sasha Levin
2023-03-12 4:23 ` Willy Tarreau
2023-03-11 18:33 ` Willy Tarreau
2023-03-11 19:24 ` Eric Biggers
2023-03-11 19:46 ` Eric Biggers
2023-03-11 20:19 ` Willy Tarreau
2023-03-11 20:59 ` Sasha Levin
2023-03-11 20:11 ` Willy Tarreau
2023-03-11 20:53 ` Eric Biggers
2023-03-12 4:32 ` Willy Tarreau
2023-03-12 5:21 ` Eric Biggers
2023-03-12 5:48 ` Willy Tarreau
2023-03-12 7:42 ` Amir Goldstein
2023-03-12 13:34 ` Mark Brown
2023-03-12 15:57 ` Sasha Levin
2023-03-12 13:55 ` Mark Brown
2023-03-11 22:38 ` David Laight
2023-03-12 4:41 ` Willy Tarreau
2023-03-12 5:09 ` Theodore Ts'o
2023-03-14 14:12 ` Jan Kara
2023-03-13 3:37 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230226034256.771769-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ast@kernel.org \
--cc=brauner@kernel.org \
--cc=brouer@redhat.com \
--cc=davemarchevsky@fb.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).