Merge patch series "fs: harden anon inodes"

#include <linux/uaccess.h>

#include "internal.h"

static struct vfsmount *anon_inode_mnt __ro_after_init;

static struct inode *anon_inode_inode __ro_after_init;

/*

 * User space expects anonymous inodes to have no file type in st_mode.

 *

 * In particular, 'lsof' has this legacy logic:

 *

 *	type = s->st_mode & S_IFMT;

 *	switch (type) {

 *	  ...

 *	case 0:

 *		if (!strcmp(p, "anon_inode"))

 *			Lf->ntype = Ntype = N_ANON_INODE;

 *

 * to detect our old anon_inode logic.

 *

 * Rather than mess with our internal sane inode data, just fix it

 * up here in getattr() by masking off the format bits.

 */

int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,

		       struct kstat *stat, u32 request_mask,

		       unsigned int query_flags)

{

	struct inode *inode = d_inode(path->dentry);

	generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat);

	stat->mode &= ~S_IFMT;

	return 0;

}

int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,

		       struct iattr *attr)

{

	return -EOPNOTSUPP;

}

static const struct inode_operations anon_inode_operations = {

	.getattr = anon_inode_getattr,

	.setattr = anon_inode_setattr,

};

/*

 * anon_inodefs_dname() is called from d_path().

 */

	struct pseudo_fs_context *ctx = init_pseudo(fc, ANON_INODE_FS_MAGIC);

	if (!ctx)

		return -ENOMEM;

	fc->s_iflags |= SB_I_NOEXEC;

	fc->s_iflags |= SB_I_NODEV;

	ctx->dops = &anon_inodefs_dentry_operations;

	return 0;

}

	if (IS_ERR(inode))

		return inode;

	inode->i_flags &= ~S_PRIVATE;

	inode->i_op = &anon_inode_operations;

	error =	security_inode_init_security_anon(inode, &QSTR(name),

						  context_inode);

	if (error) {

	anon_inode_inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);

	if (IS_ERR(anon_inode_inode))

		panic("anon_inode_init() inode allocation failed (%ld)\n", PTR_ERR(anon_inode_inode));

	anon_inode_inode->i_op = &anon_inode_operations;

	return 0;

}

void file_f_owner_release(struct file *file);

bool file_seek_cur_needs_f_lock(struct file *file);

int statmount_mnt_idmap(struct mnt_idmap *idmap, struct seq_file *seq, bool uid_map);

int anon_inode_getattr(struct mnt_idmap *idmap, const struct path *path,

		       struct kstat *stat, u32 request_mask,

		       unsigned int query_flags);

int anon_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,

		       struct iattr *attr);

	 * that it already _is_ on the dirty list.

	 */

	inode->i_state = I_DIRTY;

	inode->i_mode = S_IRUSR | S_IWUSR;

	/*

	 * Historically anonymous inodes didn't have a type at all and

	 * userspace has come to rely on this. Internally they're just

	 * regular files but S_IFREG is masked off when reporting

	 * information to userspace.

	 */

	inode->i_mode = S_IFREG | S_IRUSR | S_IWUSR;

	inode->i_uid = current_fsuid();

	inode->i_gid = current_fsgid();

	inode->i_flags |= S_PRIVATE;

static int pidfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,

			 struct iattr *attr)

{

	return -EOPNOTSUPP;

	return anon_inode_setattr(idmap, dentry, attr);

}

/*

 * User space expects pidfs inodes to have no file type in st_mode.

 *

 * In particular, 'lsof' has this legacy logic:

 *

 *	type = s->st_mode & S_IFMT;

 *	switch (type) {

 *	  ...

 *	case 0:

 *		if (!strcmp(p, "anon_inode"))

 *			Lf->ntype = Ntype = N_ANON_INODE;

 *

 * to detect our old anon_inode logic.

 *

 * Rather than mess with our internal sane inode data, just fix it

 * up here in getattr() by masking off the format bits.

 */

static int pidfs_getattr(struct mnt_idmap *idmap, const struct path *path,

			 struct kstat *stat, u32 request_mask,

			 unsigned int query_flags)

{

	struct inode *inode = d_inode(path->dentry);

	generic_fillattr(&nop_mnt_idmap, request_mask, inode, stat);

	stat->mode &= ~S_IFMT;

	return 0;

	return anon_inode_getattr(idmap, path, stat, request_mask, query_flags);

}

static const struct inode_operations pidfs_inode_operations = {

dnotify_test

devpts_pts

file_stressor

anon_inode_test