throne_tracker: avoid cross-fs traversal using s_magic check

backslashxx · backslashxx · commit 82f7e2c390a6 · 2025-06-09T07:33:15.000+08:00
Skip directories in /data/app that are NOT the same as /data/app. This is to avoid scanning incfs and any other stacked filesystems. This is a simple workaround for Ultra-Legacy kernels where upstream's method fails. Replaces: `throne_tracker: avoid cross fs access` tiann/KernelSU#2626 Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
diff --git a/drivers/kernelsu/throne_tracker.c b/drivers/kernelsu/throne_tracker.c
@@ -225,13 +225,19 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
 	int i, stop = 0;
 	struct list_head data_path_list;
 	INIT_LIST_HEAD(&data_path_list);
+	unsigned long *data_app_magic;
+	bool got_magic = false;
 
 	// Initialize APK cache list
 	struct apk_path_hash *pos, *n;
 	list_for_each_entry(pos, &apk_path_hash_list, list) {
 		pos->exists = false;
 	}
 
+	data_app_magic = kmalloc(sizeof(unsigned long), GFP_ATOMIC); // they use atomic here so
+	if (!data_app_magic) // just be defensive
+        	goto skip_iterate;
+
 	// First depth
 	struct data_path data;
 #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 8, 0)
@@ -271,7 +277,26 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
 					pr_err("Failed to open directory: %s, err: %ld\n", pos->dirpath, PTR_ERR(file));
 					goto skip_iterate;
 				}
-
+				
+				// grab magic on first folder, which is /data/app
+				if (!got_magic) {
+					if (file->f_inode->i_sb->s_magic) {
+						*data_app_magic = file->f_inode->i_sb->s_magic;
+						got_magic = true;
+					} else
+						goto skip_iterate;
+				}
+				
+				if (file->f_inode->i_sb->s_magic && file->f_inode->i_sb->s_magic != *data_app_magic) {
+					pr_info("%s: skip: %s magic: %lx expected: %lx\n", pos->dirpath, 
+						file->f_inode->i_sb->s_magic, *data_app_magic);
+					filp_close(file, NULL);
+					goto skip_iterate;
+				}
+#ifdef CONFIG_KSU_DEBUG				
+				if (file->f_inode->i_sb->s_magic)
+					pr_info("%s: current dir: %s magic: %lx expected: %lx\n", __func__, pos->dirpath, file->f_inode->i_sb->s_magic, *data_app_magic);
+#endif
 				iterate_dir(file, &ctx.ctx);
 				filp_close(file, NULL);
 			}
@@ -282,6 +307,9 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
 		}
 	}
 
+	if (data_app_magic)
+		kfree(data_app_magic);
+
 	// Remove stale cached APK entries
 	list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) {
 		if (!pos->exists) {
