diff options
| author | Christian Brauner <brauner@kernel.org> | 2026-04-01 12:21:16 +0200 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2026-04-09 14:36:52 +0200 |
| commit | 1fe989e1c42a315c7e7918e7b812377137085036 (patch) | |
| tree | 069b64ecf25420fb5ab3b17c51b25c6ea92c1415 /tools/perf/scripts/python/bin | |
| parent | e3b2cf6e5dba416a03152f299d99982dfe1e861d (diff) | |
kernfs: use namespace id instead of pointer for hashing and comparison
kernfs uses the namespace tag as both a hash seed (via init_name_hash())
and a comparison key in the rbtree. The resulting hash values are exposed
to userspace through directory seek positions (ctx->pos), and the raw
pointer comparisons in kernfs_name_compare() encode kernel pointer
ordering into the rbtree layout.
This constitutes a KASLR information leak since the hash and ordering
derived from kernel pointers can be observed from userspace.
Fix this by using the 64-bit namespace id (ns_common::ns_id) instead of
the raw pointer value for both hashing and comparison. The namespace id
is a stable, non-secret identifier that is already exposed to userspace
through other interfaces (e.g., /proc/pid/ns/, ioctl NS_GET_NSID).
Introduce kernfs_ns_id() as a helper that extracts the namespace id from
a potentially-NULL ns_common pointer, returning 0 for the no-namespace
case.
All namespace equality checks in the directory iteration and dentry
revalidation paths are also switched from pointer comparison to ns_id
comparison for consistency.
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'tools/perf/scripts/python/bin')
0 files changed, 0 insertions, 0 deletions