Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2689843pxf; Sun, 4 Apr 2021 10:27:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxSt98dI+V9qFIq4RYN2BEuD3kPXk1D8U+F5iFSqwjEsdP++8/nU4C7WuoE8CoLTxognBkB X-Received: by 2002:a02:aa92:: with SMTP id u18mr20735191jai.119.1617557275474; Sun, 04 Apr 2021 10:27:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617557275; cv=none; d=google.com; s=arc-20160816; b=c8fvBHe+14eGEi7Ls3975BgEHxY/pP2c2tmCFymFcbcbMN0iXcGScCMDYc5yYjt04j pkQJ0M0jl84WpFXItLlfmuJt7prhqPLu1KuPdtI2Ksc1XNaIIPNm1MhBvhAEjag8sPlU Jfmh8qm9KMgdyP56gvhaWiZJl5xZIPnL9PUclJZgflUwp1Ds340OsbTo2hGraW7J9cNm egxawNubpz7oiUvg8SrPTLTPlNhsy1v2SA5B89myJ8SFuNnCzCWmydHXN7C0ftxF92AE BrGVrY0GXOPcj73ZJLX9fKyQjqKner9ILi/kswcOA3u0GkMgCuKYn7MYhv60fVm4bHCn uuSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject:from :references:cc:to:dkim-signature:dkim-signature; bh=KESy4hgR2flDtG6sCptQWSiEI0A7SilCBG9hlPjpaSw=; b=sIUgNoQlEgP4Ku0s6dqc/K+mCh4At2CVZbX93JPS+iPnmAnZKN9l6AOQFZnNMpr2Dw TnCaJcB34MkNW8uKKaNDZ/Ej9w54M5YvMGJfdCmI08I+OBVfB3v/r2quKH04NTJrD8yU i+7ff0zzkDGjZUE+7B2585t03bw50aMFXq+Ks0aLhBMQtMM2yR3yFYzDLIcOPOuUi9fL Am5aVBofSm+prXF17Vb1ii11gOTgHdo/X9UBT7nwatzO8pJoQkdq+A/1hsPx8sj3ydvC LhTkdPFE4pcyfdXNM9fXSwy7GARIyPnA0fTw0OwcCXOZlkSG1BE7guXIgY2/+sdkw2Up hVrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sholland.org header.s=fm2 header.b=qmtMy8Fi; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=ot+KrKN3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u28si12041397jaq.75.2021.04.04.10.27.42; Sun, 04 Apr 2021 10:27:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sholland.org header.s=fm2 header.b=qmtMy8Fi; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=ot+KrKN3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231152AbhDDR0V (ORCPT + 99 others); Sun, 4 Apr 2021 13:26:21 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:47687 "EHLO wout4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231206AbhDDR0T (ORCPT ); Sun, 4 Apr 2021 13:26:19 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 14636B4C; Sun, 4 Apr 2021 13:26:12 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Sun, 04 Apr 2021 13:26:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sholland.org; h= to:cc:references:from:subject:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=fm2; bh=K ESy4hgR2flDtG6sCptQWSiEI0A7SilCBG9hlPjpaSw=; b=qmtMy8Fig6Vj9yZt6 NRSMoIaTrtWbgWgeVqwiWjwio7vv3AFPVshbwmuv5MmusFNdBsQyxLgbFEnKEkDS S3yURF/KX0ax2dphJZlfV4qXddl/8KNsWJ40e09inGxPijW+tTA7tVsRpLPHBo49 4GbNYoELEWIuvE9ygvLV9s6rh33aY2qgBW759BK8rjDi6iO0VpdPhirNz+Jznfvt tHCS6WggZo8djc13+3/rdNUVH4DJbQxEDZIyLZopoGtUpGJU/X/g03sd+SHNMrVR axrvh3XxUfRX7FXeU2A4yAZppUoCUjghMMwRugfGNQD56jypDzC7D7Na8125p06V FUoPw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=KESy4hgR2flDtG6sCptQWSiEI0A7SilCBG9hlPjpa Sw=; b=ot+KrKN3R5Bxmo7TsBsAfa7S44aQvL2gXYDCaPYWDD0YgX+1OJfIVxQfB qVCF2c7aQMQRs1wjcGRkQyCsiDBpfYBNAu2EaKjjF5w+cqs2Q8i1bhGR38Cv0FNI gHSnzkyEC91KaEf4U3bCKK3wiyxZ+/QE6MRO81JCL0Tmmql9fGfCzVoS3zyd05DK M5VmLXq3IYGXa+yW1IjL04Tck2SisxgDoYo542RTOrtfgfG3fDvG6JQ1hXDEU1Zn 2xUmM84H9IxUcmgu54+w4f3OsH0C5+jdoG6QVEjIGrdtQR2e4w++hJAAYuqrfolf ZT5DRZNkwWDdgKqIyLfIwO+6AreFw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudejtddguddufecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefvfhfhuffkffgfgggjtgfgsehtkeertddtfeejnecuhfhrohhmpefurghm uhgvlhcujfholhhlrghnugcuoehsrghmuhgvlhesshhhohhllhgrnhgurdhorhhgqeenuc ggtffrrghtthgvrhhnpedvtddtjeeiuddugfffveetkeffgeffgedutdfgfeekudevudek ffehtdefveeuvdenucfkphepjedtrddufeehrddugeekrdduhedunecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepshgrmhhuvghlsehshhholhhl rghnugdrohhrgh X-ME-Proxy: Received: from [70.135.148.151] (70-135-148-151.lightspeed.stlsmo.sbcglobal.net [70.135.148.151]) by mail.messagingengine.com (Postfix) with ESMTPA id F2A891080057; Sun, 4 Apr 2021 13:26:10 -0400 (EDT) To: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" , Arend van Spriel , linux-kernel@vger.kernel.org References: <20210404004504.5547-1-samuel@sholland.org> From: Samuel Holland Subject: Re: [PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile() Message-ID: <2a36734b-c76c-7554-5f16-913ffebe288f@sholland.org> Date: Sun, 4 Apr 2021 12:26:10 -0500 User-Agent: Mozilla/5.0 (X11; Linux ppc64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/4/21 5:08 AM, Greg Kroah-Hartman wrote: > On Sat, Apr 03, 2021 at 07:45:04PM -0500, Samuel Holland wrote: >> This function uses devres to clean up its allocation, but it never removes the >> file referencing that allocation. This causes a use-after-free and an oops if >> the file is accessed after the owning device is removed. > > What in-kernel user of this is having this problem? > > The driver should clean up the debugfs file, it is not the debugfs > core's job to auto-remove the file. The function returns void. debugfs_remove() requires the dentry pointer, which the caller does not have. How is the driver expected to clean up the file? Do you expect the driver to remove the file as a side effect of recursively removing its parent? If so, that conflicts with the documentation for debugfs_create_devm_seqfile(), which describes NULL as a valid parent: @parent: a pointer to the parent dentry for this file. This should be a directory dentry if set. If this parameter is %NULL, then the file will be created in the root of the debugfs filesystem. There is one in-kernel caller that uses a NULL parent, in drivers/gpio/gpio-tegra.c > The resource is what is being cleaned up by the devm usage in debugfs, > that's all, not the file. > > Please fix up the driver that is creating the file but then not removing > it. In that case, the function documentation should be modified to state that the driver is responsible for removing the parent directory, and that NULL is not a valid parent here. I can send a patch doing that instead. Samuel