Re: [PATCH v2 2/3] staging: rtl8192u: move debug files to debugfs

[Greg Kroah-Hartman <gregkh@linuxfoundation.org>]

On Tue, Jul 19, 2022 at 09:58:24PM -0700, Tong Zhang wrote:
> On Tue, Jul 19, 2022 at 5:53 AM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > On Mon, Jul 18, 2022 at 10:50:37PM -0700, Tong Zhang wrote:
> > > There are 4 debug files created under /proc/net/[Devname]. Devname could
> > > Due to this is purely for debuging as files are created read only,
> > > move this to debugfs like other NIC drivers do instead of using procfs.
> > > This is also to prepare for address rmmod warn issue.
> >
> > Minor comments based on good debugfs usage:
> >
> > > --- a/drivers/staging/rtl8192u/r8192U.h
> > > +++ b/drivers/staging/rtl8192u/r8192U.h
> > > @@ -1061,6 +1061,9 @@ typedef struct r8192_priv {
> > >       struct delayed_work gpio_change_rf_wq;
> > >       struct delayed_work initialgain_operate_wq;
> > >       struct workqueue_struct *priv_wq;
> > > +
> > > +     /* debugfs */
> > > +     struct dentry *debugfs_dir;
> >
> > Why do you need to save this dentry?  Can't you just look it up when you
> > want to remove the files?
> >
> 
> Hi Greg,
> Thanks for the comments.
> 
> I am thinking whether it is possible to rename the device and run
> rmmod to remove something it shouldn't.
> If we are using debugfs_lookup(dev->name, NULL), say, the existing
> directories/files are
> 
>   /sys/kernel/debug/DIRA
>   /sys/kernel/debug/wlan0

Ick, wait, that's not good.  We need a driver subdirectory name in there
so that this driver doesn't stomp over some other driver that might be
doing the same foolish thing and using the root of debugfs.

> I then rename device wlan0 to DIRA, after that I remove the module by
> doing rmmod.
> Apparently either the wlan0 directory will not be renamed successfully
> due to collision or DIRA directory might be overwritten? (this part I
> haven't checked yet)
> Either Way,  later on if we do rmmod, the driver will try to do
> debugfs_lookup("fileA", NULL) and remove /sys/kernel/debug/DIRA which
> it shouldn't.
> Or if it is possible to rename the device to some wacky string
> containing wildcard or .. to launch an attack.
> 
> Maybe I am being naive but please correct me if I am wrong.
> 
> Or maybe we should put those debug files under the module's own
> directory and do lookup from there instead. like the following dir
> structure
> 
> /sys/kernel/debug/r8192u_usb/wlan0/stats-rx
> /sys/kernel/debug/r8192u_usb/wlan0/stats-rx
> /sys/kernel/debug/r8192u_usb/wlan0/stats-ap
> /sys/kernel/debug/r8192u_usb/wlan0/registers

Yes, that would be much much better.  That way you "know" you can look
up the name again correctly.

thanks,

greg k-h