Validate mountpoint on path-based unmount using statx

Use statx to verify that path-based unmounts proceed only if the mountpoint reported by statx matches the MNTTAB entry reported by libzfs, aborting the operation if they differ. Align `zfs umount /path` behavior with `zfs umount dataset`. Reviewed-by: Alexander Motin <mav@FreeBSD.org> Signed-off-by: Ameer Hamza <ahamza@ixsystems.com> Closes #17481
2025-09-15 13:50:11 +03:00 · 2025-07-09 07:10:00 +05:00 · 2025-07-09 07:10:00 +05:00 · 21d5f25724
commit 21d5f25724
parent 7e945a5b3f
5 changed files with 89 additions and 6 deletions
--- a/cmd/zfs/zfs_main.c
+++ b/cmd/zfs/zfs_main.c
@ -7716,6 +7716,7 @@ unshare_unmount_path(int op, char *path, int flags, boolean_t is_manual)
 	struct extmnttab entry;
 	const char *cmdname = (op == OP_SHARE) ? "unshare" : "unmount";
 	ino_t path_inode;
 	char *zfs_mntpnt, *entry_mntpnt;
 	/*
 	 * Search for the given (major,minor) pair in the mount table.
@ -7757,6 +7758,24 @@ unshare_unmount_path(int op, char *path, int flags, boolean_t is_manual)
 		goto out;
 	}
 	/*
 	 * If the filesystem is mounted, check that the mountpoint matches
 	 * the one in the mnttab entry w.r.t. provided path. If it doesn't,
 	 * then we should not proceed further.
 	 */
 	entry_mntpnt = strdup(entry.mnt_mountp);
 	if (zfs_is_mounted(zhp, &zfs_mntpnt)) {
 		if (strcmp(zfs_mntpnt, entry_mntpnt) != 0) {
 			(void) fprintf(stderr, gettext("cannot %s '%s': "
 			    "not an original mountpoint\n"), cmdname, path);
 			free(zfs_mntpnt);
 			free(entry_mntpnt);
 			goto out;
 		}
 		free(zfs_mntpnt);
 	}
 	free(entry_mntpnt);
 	if (op == OP_SHARE) {
 		char nfs_mnt_prop[ZFS_MAXPROPLEN];
 		char smbshare_prop[ZFS_MAXPROPLEN];
--- a/config/user-statx.m4
+++ b/config/user-statx.m4
@ -0,0 +1,34 @@
 dnl #
 dnl # Check for statx() function and STATX_MNT_ID availability
 dnl #
 AC_DEFUN([ZFS_AC_CONFIG_USER_STATX], [
 	AC_CHECK_HEADERS([linux/stat.h],
 		[have_stat_headers=yes],
 		[have_stat_headers=no])
 	AS_IF([test "x$have_stat_headers" = "xyes"], [
 		AC_CHECK_FUNC([statx], [
 			AC_DEFINE([HAVE_STATX], [1], [statx() is available])
 			dnl Check for STATX_MNT_ID availability
 			AC_MSG_CHECKING([for STATX_MNT_ID])
 			AC_COMPILE_IFELSE([
 				AC_LANG_PROGRAM([[
 					#include <linux/stat.h>
 				]], [[
 					struct statx stx;
 					int mask = STATX_MNT_ID;
 					(void)mask;
 					(void)stx.stx_mnt_id;
 				]])
 			], [
 				AC_MSG_RESULT([yes])
 				AC_DEFINE([HAVE_STATX_MNT_ID], [1], [STATX_MNT_ID is available])
 			], [
 				AC_MSG_RESULT([no])
 			])
 		])
 	], [
 		AC_MSG_WARN([linux/stat.h not found; skipping statx support])
 	])
 ])  dnl end AC_DEFUN
--- a/config/user.m4
+++ b/config/user.m4
@ -17,6 +17,7 @@ AC_DEFUN([ZFS_AC_CONFIG_USER], [
 		ZFS_AC_CONFIG_USER_LIBUDEV
 		ZFS_AC_CONFIG_USER_LIBUUID
 		ZFS_AC_CONFIG_USER_LIBBLKID
 		ZFS_AC_CONFIG_USER_STATX
 	])
 	ZFS_AC_CONFIG_USER_LIBTIRPC
 	ZFS_AC_CONFIG_USER_LIBCRYPTO
--- a/lib/libspl/include/os/linux/sys/stat.h
+++ b/lib/libspl/include/os/linux/sys/stat.h
@ -31,6 +31,11 @@
 #include <sys/mount.h> /* for BLKGETSIZE64 */
 #ifdef HAVE_STATX
 #include <fcntl.h>
 #include <linux/stat.h>
 #endif
 /*
 * Emulate Solaris' behavior of returning the block device size in fstat64().
 */
--- a/lib/libspl/os/linux/getmntany.c
+++ b/lib/libspl/os/linux/getmntany.c
@ -85,13 +85,21 @@ _sol_getmntent(FILE *fp, struct mnttab *mgetp)
 }
 static int
-getextmntent_impl(FILE *fp, struct extmnttab *mp)
+getextmntent_impl(FILE *fp, struct extmnttab *mp, uint64_t *mnt_id)
 {
 	int ret;
 	struct stat64 st;
 	*mnt_id = 0;
 	ret = _sol_getmntent(fp, (struct mnttab *)mp);
 	if (ret == 0) {
 #ifdef HAVE_STATX_MNT_ID
 		struct statx stx;
 		if (statx(AT_FDCWD, mp->mnt_mountp,
 		    AT_STATX_SYNC_AS_STAT | AT_SYMLINK_NOFOLLOW,
 		    STATX_MNT_ID, &stx) == 0 && (stx.stx_mask & STATX_MNT_ID))
 			*mnt_id = stx.stx_mnt_id;
 #endif
 		if (stat64(mp->mnt_mountp, &st) != 0) {
 			mp->mnt_major = 0;
 			mp->mnt_minor = 0;
@ -110,6 +118,12 @@ getextmntent(const char *path, struct extmnttab *entry, struct stat64 *statbuf)
 	struct stat64 st;
 	FILE *fp;
 	int match;
 	boolean_t have_mnt_id = B_FALSE;
 	uint64_t target_mnt_id = 0;
 	uint64_t entry_mnt_id;
 #ifdef HAVE_STATX_MNT_ID
 	struct statx stx;
 #endif
 	if (strlen(path) >= MAXPATHLEN) {
 		(void) fprintf(stderr, "invalid object; pathname too long\n");
@ -128,6 +142,13 @@ getextmntent(const char *path, struct extmnttab *entry, struct stat64 *statbuf)
 		return (-1);
 	}
 #ifdef HAVE_STATX_MNT_ID
 	if (statx(AT_FDCWD, path, AT_STATX_SYNC_AS_STAT | AT_SYMLINK_NOFOLLOW,
 	    STATX_MNT_ID, &stx) == 0 && (stx.stx_mask & STATX_MNT_ID)) {
 		have_mnt_id = B_TRUE;
 		target_mnt_id = stx.stx_mnt_id;
 	}
 #endif
 	if ((fp = fopen(MNTTAB, "re")) == NULL) {
 		(void) fprintf(stderr, "cannot open %s\n", MNTTAB);
@ -139,12 +160,15 @@ getextmntent(const char *path, struct extmnttab *entry, struct stat64 *statbuf)
 	 */
 	match = 0;
-	while (getextmntent_impl(fp, entry) == 0) {
+	while (getextmntent_impl(fp, entry, &entry_mnt_id) == 0) {
-		if (makedev(entry->mnt_major, entry->mnt_minor) ==
+		if (have_mnt_id) {
-		    statbuf->st_dev) {
+			match = (entry_mnt_id == target_mnt_id);
-			match = 1;
+		} else {
-			break;
+			match = makedev(entry->mnt_major, entry->mnt_minor) ==
 			    statbuf->st_dev;
 		}
 		if (match)
 			break;
 	}
 	(void) fclose(fp);