From: Nicolai Stange <nstange@suse.de>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: David Laight <David.Laight@ACULAB.COM>,
'Taehee Yoo' <ap420073@gmail.com>,
"davem@davemloft.net" <davem@davemloft.net>,
"kuba@kernel.org" <kuba@kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Nicolai Stange <nstange@suse.de>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
"wil6210@qti.qualcomm.com" <wil6210@qti.qualcomm.com>,
"brcm80211-dev-list@cypress.com" <brcm80211-dev-list@cypress.com>,
"b43-dev@lists.infradead.org" <b43-dev@lists.infradead.org>,
"linux-bluetooth@vger.kernel.org"
<linux-bluetooth@vger.kernel.org>
Subject: [PATCH net 000/117] net: avoid to remove module when its debugfs is being used
Date: Fri, 09 Oct 2020 07:09:01 +0200 [thread overview]
Message-ID: <87v9fkgf4i.fsf@suse.de> (raw)
In-Reply-To: <62f6c2bd11ed8b25c1cd4462ebc6db870adc4229.camel@sipsolutions.net> (Johannes Berg's message of "Thu, 08 Oct 2020 18:14:15 +0200")
Johannes Berg <johannes@sipsolutions.net> writes:
> On Thu, 2020-10-08 at 15:59 +0000, David Laight wrote:
>> From: Taehee Yoo
>> > Sent: 08 October 2020 16:49
>> >
>> > When debugfs file is opened, its module should not be removed until
>> > it's closed.
>> > Because debugfs internally uses the module's data.
>> > So, it could access freed memory.
>> >
>> > In order to avoid panic, it just sets .owner to THIS_MODULE.
>> > So that all modules will be held when its debugfs file is opened.
>>
>> Can't you fix it in common code?
Probably not: it's the call to ->release() that's faulting in the Oops
quoted in the cover letter and that one can't be protected by the
core debugfs code, unfortunately.
There's a comment in full_proxy_release(), which reads as
/*
* We must not protect this against removal races here: the
* original releaser should be called unconditionally in order
* not to leak any resources. Releasers must not assume that
* ->i_private is still being meaningful here.
*/
> Yeah I was just wondering that too - weren't the proxy_fops even already
> intended to fix this?
No, as far as file_operations are concerned, the proxy fops's intent was
only to ensure that the memory the file_operations' ->owner resides in
is still valid so that try_module_get() won't splat at file open
(c.f. [1]).
You're right that the default "full" proxy fops do prevent all
file_operations but ->release() from getting invoked on removed files,
but the motivation had not been to protect the file_operations
themselves, but accesses to any stale data associated with removed files
([2]).
> The modules _should_ be removing the debugfs files, and then the
> proxy_fops should kick in, no?
No, as said, not for ->release(). I haven't looked into the inidividual
patches here, but setting ->owner indeed sounds like the right thing to
do.
But you're right that modules should be removing any left debugfs files
at exit.
Thanks,
Nicolai
[1] 9fd4dcece43a ("debugfs: prevent access to possibly dead
file_operations at file open")
[2] 49d200deaa68 ("debugfs: prevent access to removed files' private data")
--
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 N?rnberg, Germany
(HRB 36809, AG N?rnberg), GF: Felix Imend?rffer
WARNING: multiple messages have this Message-ID (diff)
From: Nicolai Stange <nstange@suse.de>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: David Laight <David.Laight@ACULAB.COM>,
'Taehee Yoo' <ap420073@gmail.com>,
"davem\@davemloft.net" <davem@davemloft.net>,
"kuba\@kernel.org" <kuba@kernel.org>,
"netdev\@vger.kernel.org" <netdev@vger.kernel.org>,
Nicolai Stange <nstange@suse.de>,
"linux-wireless\@vger.kernel.org"
<linux-wireless@vger.kernel.org>,
"wil6210\@qti.qualcomm.com" <wil6210@qti.qualcomm.com>,
"brcm80211-dev-list\@cypress.com"
<brcm80211-dev-list@cypress.com>,
"b43-dev\@lists.infradead.org" <b43-dev@lists.infradead.org>,
"linux-bluetooth\@vger.kernel.org"
<linux-bluetooth@vger.kernel.org>
Subject: Re: [PATCH net 000/117] net: avoid to remove module when its debugfs is being used
Date: Fri, 09 Oct 2020 07:09:01 +0200 [thread overview]
Message-ID: <87v9fkgf4i.fsf@suse.de> (raw)
In-Reply-To: <62f6c2bd11ed8b25c1cd4462ebc6db870adc4229.camel@sipsolutions.net> (Johannes Berg's message of "Thu, 08 Oct 2020 18:14:15 +0200")
Johannes Berg <johannes@sipsolutions.net> writes:
> On Thu, 2020-10-08 at 15:59 +0000, David Laight wrote:
>> From: Taehee Yoo
>> > Sent: 08 October 2020 16:49
>> >
>> > When debugfs file is opened, its module should not be removed until
>> > it's closed.
>> > Because debugfs internally uses the module's data.
>> > So, it could access freed memory.
>> >
>> > In order to avoid panic, it just sets .owner to THIS_MODULE.
>> > So that all modules will be held when its debugfs file is opened.
>>
>> Can't you fix it in common code?
Probably not: it's the call to ->release() that's faulting in the Oops
quoted in the cover letter and that one can't be protected by the
core debugfs code, unfortunately.
There's a comment in full_proxy_release(), which reads as
/*
* We must not protect this against removal races here: the
* original releaser should be called unconditionally in order
* not to leak any resources. Releasers must not assume that
* ->i_private is still being meaningful here.
*/
> Yeah I was just wondering that too - weren't the proxy_fops even already
> intended to fix this?
No, as far as file_operations are concerned, the proxy fops's intent was
only to ensure that the memory the file_operations' ->owner resides in
is still valid so that try_module_get() won't splat at file open
(c.f. [1]).
You're right that the default "full" proxy fops do prevent all
file_operations but ->release() from getting invoked on removed files,
but the motivation had not been to protect the file_operations
themselves, but accesses to any stale data associated with removed files
([2]).
> The modules _should_ be removing the debugfs files, and then the
> proxy_fops should kick in, no?
No, as said, not for ->release(). I haven't looked into the inidividual
patches here, but setting ->owner indeed sounds like the right thing to
do.
But you're right that modules should be removing any left debugfs files
at exit.
Thanks,
Nicolai
[1] 9fd4dcece43a ("debugfs: prevent access to possibly dead
file_operations at file open")
[2] 49d200deaa68 ("debugfs: prevent access to removed files' private data")
--
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg), GF: Felix Imendörffer
next prev parent reply other threads:[~2020-10-09 5:09 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-08 15:48 [PATCH net 000/117] net: avoid to remove module when its debugfs is being used Taehee Yoo
2020-10-08 15:59 ` David Laight
2020-10-08 15:59 ` David Laight
2020-10-08 16:14 ` Johannes Berg
2020-10-08 16:14 ` Johannes Berg
2020-10-08 16:37 ` Taehee Yoo
2020-10-08 16:37 ` Taehee Yoo
2020-10-09 5:38 ` Nicolai Stange
2020-10-09 5:38 ` Nicolai Stange
2020-10-09 10:07 ` Taehee Yoo
2020-10-09 10:07 ` Taehee Yoo
2020-10-09 5:09 ` Nicolai Stange [this message]
2020-10-09 5:09 ` Nicolai Stange
2020-10-09 7:45 ` Johannes Berg
2020-10-09 7:45 ` Johannes Berg
2020-10-09 10:15 ` Taehee Yoo
2020-10-09 10:15 ` Taehee Yoo
2020-10-09 10:21 ` Johannes Berg
2020-10-09 10:21 ` Johannes Berg
2020-10-09 10:41 ` [RFC] debugfs: protect against rmmod while files are open Johannes Berg
2020-10-09 10:48 ` Johannes Berg
2020-10-09 10:56 ` David Laight
2020-10-09 10:56 ` Johannes Berg
2020-10-09 11:15 ` gregkh
2020-10-09 15:33 ` [PATCH net 000/117] net: avoid to remove module when its debugfs is being used Steve deRosier
2020-10-09 15:33 ` Steve deRosier
2020-10-09 7:53 ` [CRAZY-RFF] debugfs: track open files and release on remove Johannes Berg
2020-10-09 8:03 ` Greg KH
2020-10-09 8:06 ` Johannes Berg
2020-10-09 8:16 ` Greg KH
2020-10-09 8:19 ` Johannes Berg
2020-10-09 8:34 ` David Laight
2020-10-09 8:44 ` Johannes Berg
2020-10-09 9:00 ` David Laight
2020-10-09 8:47 ` Greg KH
2020-10-09 8:48 ` Johannes Berg
2020-10-10 9:38 ` Greg KH
2020-10-10 10:47 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v9fkgf4i.fsf@suse.de \
--to=nstange@suse.de \
--cc=David.Laight@ACULAB.COM \
--cc=ap420073@gmail.com \
--cc=b43-dev@lists.infradead.org \
--cc=brcm80211-dev-list@cypress.com \
--cc=davem@davemloft.net \
--cc=johannes@sipsolutions.net \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=wil6210@qti.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.