Validate mountpoint on path-based unmount using statx

ixhamza · ixhamza · commit 9cd47e468c62 · 2025-06-24T18:00:36.000+05:00
Use statx to verify that path-based unmounts proceed only if the
mountpoint reported by statx matches the MNTTAB entry reported by
libzfs, aborting the operation if they differ. Align
`zfs umount /path` behavior with `zfs umount dataset`.

Signed-off-by: Ameer Hamza &lt;ahamza@ixsystems.com&gt;
diff --git a/cmd/zfs/zfs_main.c b/cmd/zfs/zfs_main.c
@@ -7729,6 +7729,7 @@ unshare_unmount_path(int op, char *path, int flags, boolean_t is_manual)
 	struct extmnttab entry;
 	const char *cmdname = (op == OP_SHARE) ? "unshare" : "unmount";
 	ino_t path_inode;
+	char *zfs_mntpnt, *entry_mntpnt;
 
 	/*
 	 * Search for the given (major,minor) pair in the mount table.
@@ -7770,6 +7771,24 @@ unshare_unmount_path(int op, char *path, int flags, boolean_t is_manual)
 		goto out;
 	}
 
+	/*
+	 * If the filesystem is mounted, check that the mountpoint matches
+	 * the one in the mnttab entry w.r.t. provided path. If it doesn't,
+	 * then we should not proceed further.
+	 */
+	entry_mntpnt = strdup(entry.mnt_mountp);
+	if (zfs_is_mounted(zhp, &zfs_mntpnt)) {
+		if (strcmp(zfs_mntpnt, entry_mntpnt) != 0) {
+			(void) fprintf(stderr, gettext("cannot %s '%s': "
+			    "not an original mountpoint\n"), cmdname, path);
+			free(zfs_mntpnt);
+			free(entry_mntpnt);
+			goto out;
+		}
+		free(zfs_mntpnt);
+	}
+	free(entry_mntpnt);
+
 	if (op == OP_SHARE) {
 		char nfs_mnt_prop[ZFS_MAXPROPLEN];
 		char smbshare_prop[ZFS_MAXPROPLEN];
diff --git a/config/user-statx.m4 b/config/user-statx.m4
@@ -0,0 +1,34 @@
+dnl #
+dnl # Check for statx() function and STATX_MNT_ID availability
+dnl #
+AC_DEFUN([ZFS_AC_CONFIG_USER_STATX], [
+	AC_CHECK_HEADERS([linux/stat.h],
+		[have_stat_headers=yes],
+		[have_stat_headers=no])
+
+	AS_IF([test "x$have_stat_headers" = "xyes"], [
+		AC_CHECK_FUNC([statx], [
+			AC_DEFINE([HAVE_STATX], [1], [statx() is available])
+
+			dnl Check for STATX_MNT_ID availability
+			AC_MSG_CHECKING([for STATX_MNT_ID])
+			AC_COMPILE_IFELSE([
+				AC_LANG_PROGRAM([[
+					#include <linux/stat.h>
+				]], [[
+					struct statx stx;
+					int mask = STATX_MNT_ID;
+					(void)mask;
+					(void)stx.stx_mnt_id;
+				]])
+			], [
+				AC_MSG_RESULT([yes])
+				AC_DEFINE([HAVE_STATX_MNT_ID], [1], [STATX_MNT_ID is available])
+			], [
+				AC_MSG_RESULT([no])
+			])
+		])
+	], [
+		AC_MSG_WARN([linux/stat.h not found; skipping statx support])
+	])
+])  dnl end AC_DEFUN
diff --git a/config/user.m4 b/config/user.m4
@@ -32,6 +32,7 @@ AC_DEFUN([ZFS_AC_CONFIG_USER], [
 	ZFS_AC_CONFIG_USER_MAKEDEV_IN_SYSMACROS
 	ZFS_AC_CONFIG_USER_MAKEDEV_IN_MKDEV
 	ZFS_AC_CONFIG_USER_ZFSEXEC
+	ZFS_AC_CONFIG_USER_STATX
 
 	AC_CHECK_FUNCS([execvpe issetugid mlockall strlcat strlcpy gettid])
 
diff --git a/lib/libspl/include/os/linux/sys/stat.h b/lib/libspl/include/os/linux/sys/stat.h
@@ -31,6 +31,11 @@
 
 #include <sys/mount.h> /* for BLKGETSIZE64 */
 
+#ifdef HAVE_STATX
+#include <fcntl.h>
+#include <linux/stat.h>
+#endif
+
 /*
  * Emulate Solaris' behavior of returning the block device size in fstat64().
  */
diff --git a/lib/libspl/os/linux/getmntany.c b/lib/libspl/os/linux/getmntany.c
@@ -85,13 +85,21 @@ _sol_getmntent(FILE *fp, struct mnttab *mgetp)
 }
 
 static int
-getextmntent_impl(FILE *fp, struct extmnttab *mp)
+getextmntent_impl(FILE *fp, struct extmnttab *mp, uint64_t *mnt_id)
 {
 	int ret;
 	struct stat64 st;
 
+	*mnt_id = 0;
 	ret = _sol_getmntent(fp, (struct mnttab *)mp);
 	if (ret == 0) {
+#ifdef HAVE_STATX_MNT_ID
+		struct statx stx;
+		if (statx(AT_FDCWD, mp->mnt_mountp,
+		    AT_STATX_SYNC_AS_STAT | AT_SYMLINK_NOFOLLOW,
+		    STATX_MNT_ID, &stx) == 0 && (stx.stx_mask & STATX_MNT_ID))
+			*mnt_id = stx.stx_mnt_id;
+#endif
 		if (stat64(mp->mnt_mountp, &st) != 0) {
 			mp->mnt_major = 0;
 			mp->mnt_minor = 0;
@@ -110,6 +118,12 @@ getextmntent(const char *path, struct extmnttab *entry, struct stat64 *statbuf)
 	struct stat64 st;
 	FILE *fp;
 	int match;
+	boolean_t have_mnt_id = B_FALSE;
+	uint64_t target_mnt_id = 0;
+	uint64_t entry_mnt_id;
+#ifdef HAVE_STATX_MNT_ID
+	struct statx stx;
+#endif
 
 	if (strlen(path) >= MAXPATHLEN) {
 		(void) fprintf(stderr, "invalid object; pathname too long\n");
@@ -128,6 +142,13 @@ getextmntent(const char *path, struct extmnttab *entry, struct stat64 *statbuf)
 		return (-1);
 	}
 
+#ifdef HAVE_STATX_MNT_ID
+	if (statx(AT_FDCWD, path, AT_STATX_SYNC_AS_STAT | AT_SYMLINK_NOFOLLOW,
+	    STATX_MNT_ID, &stx) == 0 && (stx.stx_mask & STATX_MNT_ID)) {
+		have_mnt_id = B_TRUE;
+		target_mnt_id = stx.stx_mnt_id;
+	}
+#endif
 
 	if ((fp = fopen(MNTTAB, "re")) == NULL) {
 		(void) fprintf(stderr, "cannot open %s\n", MNTTAB);
@@ -139,12 +160,15 @@ getextmntent(const char *path, struct extmnttab *entry, struct stat64 *statbuf)
 	 */
 
 	match = 0;
-	while (getextmntent_impl(fp, entry) == 0) {
-		if (makedev(entry->mnt_major, entry->mnt_minor) ==
-		    statbuf->st_dev) {
-			match = 1;
-			break;
+	while (getextmntent_impl(fp, entry, &entry_mnt_id) == 0) {
+		if (have_mnt_id) {
+			match = (entry_mnt_id == target_mnt_id);
+		} else {
+			match = makedev(entry->mnt_major, entry->mnt_minor) ==
+			    statbuf->st_dev;
 		}
+		if (match)
+			break;
 	}
 	(void) fclose(fp);
 
