From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5453A11C86 for ; Thu, 24 Aug 2023 14:58:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C3BEFC433C8; Thu, 24 Aug 2023 14:58:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1692889120; bh=yXOcRPV76V06lvEh6KbNIf1KrQ71alo5ONh7Sa2opXw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wEdEzIwruu816aMYJug3gRa6zsZj/qc0esUFeNsEd1V28hsFDDZMbTW2pUvU7yZMI fzrDtXk6jGEY6JU9s6mmDxxD7jmBoJ0YNb4HIxMefpNIklFEgxeodzc7f8vNMOo++2 XvrjxxMjWSiJp0BEu2lyZTCnV1XbIbl+5cuzXd7c= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Christian Brauner , Amir Goldstein , Sasha Levin Subject: [PATCH 5.10 021/135] ovl: check type and offset of struct vfsmount in ovl_entry Date: Thu, 24 Aug 2023 16:49:24 +0200 Message-ID: <20230824145027.868774961@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230824145027.008282920@linuxfoundation.org> References: <20230824145027.008282920@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Christian Brauner [ Upstream commit f723edb8a532cd26e1ff0a2b271d73762d48f762 ] Porting overlayfs to the new amount api I started experiencing random crashes that couldn't be explained easily. So after much debugging and reasoning it became clear that struct ovl_entry requires the point to struct vfsmount to be the first member and of type struct vfsmount. During the port I added a new member at the beginning of struct ovl_entry which broke all over the place in the form of random crashes and cache corruptions. While there's a comment in ovl_free_fs() to the effect of "Hack! Reuse ofs->layers as a vfsmount array before freeing it" there's no such comment on struct ovl_entry which makes this easy to trip over. Add a comment and two static asserts for both the offset and the type of pointer in struct ovl_entry. Signed-off-by: Christian Brauner Signed-off-by: Amir Goldstein Signed-off-by: Sasha Levin --- fs/overlayfs/ovl_entry.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h index b208eba5d0b64..b58a0140d78d5 100644 --- a/fs/overlayfs/ovl_entry.h +++ b/fs/overlayfs/ovl_entry.h @@ -30,6 +30,7 @@ struct ovl_sb { }; struct ovl_layer { + /* ovl_free_fs() relies on @mnt being the first member! */ struct vfsmount *mnt; /* Trap in ovl inode cache */ struct inode *trap; @@ -40,6 +41,14 @@ struct ovl_layer { int fsid; }; +/* + * ovl_free_fs() relies on @mnt being the first member when unmounting + * the private mounts created for each layer. Let's check both the + * offset and type. + */ +static_assert(offsetof(struct ovl_layer, mnt) == 0); +static_assert(__same_type(typeof_member(struct ovl_layer, mnt), struct vfsmount *)); + struct ovl_path { const struct ovl_layer *layer; struct dentry *dentry; -- 2.40.1