Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2255316pxf; Sat, 3 Apr 2021 17:47:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8UiHXgIuCvHtTUu8PpTPxp829SzBRZNtulM9sceQ9CkmJIh3U2HzGuFL78yMR0S8bvLx5 X-Received: by 2002:a05:6e02:17c6:: with SMTP id z6mr15852908ilu.256.1617497262479; Sat, 03 Apr 2021 17:47:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617497262; cv=none; d=google.com; s=arc-20160816; b=kHQlHbj6TEP4oG8fr6dYqdOx+BPh7eFrnrx4tkfmQRBrl7ddjIkjIaJG12CU+XrLOo 7GiQxDouiM6SIJNhRFsbo+vzewEId3gf0+7c/uERmXYYU3kPbSTKISkTcoGTIrAK6wz4 RUylXbT21WGax6OOiQVrypQksZ5g6/eWF2481otmyWopsprE7qKVkFtnA1e9Ga+2O0jY h75MI3JfBhRo9oYRlSyisrRJrfjBbhkjemJIh6Mn4+mfwou6Q4j7hDsgkaaKAjq2w2Kt sd+z3c8hjpCloku9EUJDS1eYUIV20utWER7gBvn9p1kjSkOcdBAKSB14KdlJW61SQpaF QKBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=ool/2/xvmK9HUEwFoYH77h1/nNYxJyni5678WQavANY=; b=qc8vmAe8nP5iaRwZsy3KsuPD6l9zzYHkn80W10oLET12hDwtbiSMditUtT73+heATA uDj0mAID4OBZ6gowwsVwCxSlKHvVHJch6qNWG1NkFJARSFhmeq4PMw5oJDfE5rF+1m+V Nn43S9oU6kwyV60E77hlzniHhaiqiGT+WNArr7uzCg3juK6K19FYwVHcE/73Mml+jsQq npvIcvPrDtgLNNSHIS2qWSflvyICZY70UFyibaSRlHNoxDFDVNejJzhvJQxgDh4hyG/I qHhEpLS3q7QYeTVMtPWRlGY0vUyzTNhLXUYLZI48DtsI/eX/A4cDBSqhQYjRDCcMXs+Q Juhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sholland.org header.s=fm2 header.b=nikuzIJM; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=J6evn6rp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m13si11386439jat.62.2021.04.03.17.47.26; Sat, 03 Apr 2021 17:47:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sholland.org header.s=fm2 header.b=nikuzIJM; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=J6evn6rp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236641AbhDDApK (ORCPT + 99 others); Sat, 3 Apr 2021 20:45:10 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:40929 "EHLO out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236526AbhDDApK (ORCPT ); Sat, 3 Apr 2021 20:45:10 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 0E7B85C008D; Sat, 3 Apr 2021 20:45:06 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Sat, 03 Apr 2021 20:45:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sholland.org; h= from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; s=fm2; bh=ool/2/xvmK9HUEwFoYH77h1/nN YxJyni5678WQavANY=; b=nikuzIJMmnF2cpB1ra831sJcfPBZrPCnZo90O2JWTg WsZYpnuLpInOzJgj6nnSqqgTMSkFmxEUzQLXBz7ybuxJD283+IhMXnGurxIBEvJA Ok+eB3xwANIdCK+qrVVh5B/M1PCMFKNdJf0jdBdOdcRuwBq8ddNv2nv2dIolCW25 Fh0ii+044HxZ+cyIyu5ViUZoCYOh/5TC1X1bok1Zf1DKGfdqVefooMw5gciNRBRs WtF15dtjdw6XCSgZH2xTkR7oA5xHRS0lmI2UmGqomOLwWvmB0NVGYfhZh6JfXpgq EaD55UkqKYFuOhSAkkivUTIccimemvGCKs1H8ZM5Ot6Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:date:from :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ool/2/xvmK9HUEwFo YH77h1/nNYxJyni5678WQavANY=; b=J6evn6rpMOxZUH6s8WH2y+G8YUeg/DZlA KesE3TCunxtPCjETui0JPlJ0IyLevSd2wfLqIKNNSqY67VRHLFqIH3LbNqIEFnBW VdTlYWQwqiIBiYkX6TXE16AogAlhDpHcGzN1z+mjPQd7ptVsWcpkGVVGv2InJPI7 8OuaTXWcAIZrYFgHfn81UX4e/1HC05cROqwJNrbiAgnf6qFHu3aVaWO+aXU9VWp8 J7ABPqXkiiT8zuSWmRra6X4xJTgwsIUqe5gSrxn/W9ew5XOYGLavX0CYJ8y1V8fd P+9COBK+o1LJv0t/t3zrlbZl0DuKQ1gsWOkoXjjh+JyA5j7wg00BA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeiledggedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefurghmuhgvlhcu jfholhhlrghnugcuoehsrghmuhgvlhesshhhohhllhgrnhgurdhorhhgqeenucggtffrrg htthgvrhhnpeeiteekhfehuddugfeltddufeejjeefgeevheekueffhffhjeekheeiffdt vedtveenucfkphepjedtrddufeehrddugeekrdduhedunecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomhepshgrmhhuvghlsehshhholhhlrghnugdr ohhrgh X-ME-Proxy: Received: from titanium.stl.sholland.net (70-135-148-151.lightspeed.stlsmo.sbcglobal.net [70.135.148.151]) by mail.messagingengine.com (Postfix) with ESMTPA id 6584E24005A; Sat, 3 Apr 2021 20:45:05 -0400 (EDT) From: Samuel Holland To: Greg Kroah-Hartman , "Rafael J. Wysocki" , Arend van Spriel Cc: linux-kernel@vger.kernel.org, Samuel Holland Subject: [PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile() Date: Sat, 3 Apr 2021 19:45:04 -0500 Message-Id: <20210404004504.5547-1-samuel@sholland.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This function uses devres to clean up its allocation, but it never removes the file referencing that allocation. This causes a use-after-free and an oops if the file is accessed after the owning device is removed. Fixes: 98210b7f73f1d ("debugfs: add helper function to create device related seq_file") Fixes: 0d519cbf38eed ("debugfs: remove return value of debugfs_create_devm_seqfile()") Signed-off-by: Samuel Holland --- fs/debugfs/file.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 686e0ad28788..64f1f918e119 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -1100,6 +1100,7 @@ EXPORT_SYMBOL_GPL(debugfs_create_regset32); struct debugfs_devm_entry { int (*read)(struct seq_file *seq, void *data); struct device *dev; + struct dentry *dentry; }; static int debugfs_devm_entry_open(struct inode *inode, struct file *f) @@ -1117,6 +1118,13 @@ static const struct file_operations debugfs_devm_entry_ops = { .llseek = seq_lseek }; +static void debugfs_devm_entry_release(struct device *dev, void *res) +{ + struct debugfs_devm_entry *entry = res; + + debugfs_remove(entry->dentry); +} + /** * debugfs_create_devm_seqfile - create a debugfs file that is bound to device. * @@ -1136,14 +1144,19 @@ void debugfs_create_devm_seqfile(struct device *dev, const char *name, if (IS_ERR(parent)) return; - entry = devm_kzalloc(dev, sizeof(*entry), GFP_KERNEL); + entry = devres_alloc(debugfs_devm_entry_release, sizeof(*entry), GFP_KERNEL); if (!entry) return; entry->read = read_fn; entry->dev = dev; + entry->dentry = debugfs_create_file(name, S_IRUGO, parent, entry, + &debugfs_devm_entry_ops); + if (IS_ERR(entry->dentry)) { + devres_free(entry); + return; + } - debugfs_create_file(name, S_IRUGO, parent, entry, - &debugfs_devm_entry_ops); + devres_add(dev, entry); } EXPORT_SYMBOL_GPL(debugfs_create_devm_seqfile); -- 2.26.2