From: Alice Ryhl <aliceryhl@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Danilo Krummrich" <dakr@kernel.org>,
"Benno Lossin" <lossin@kernel.org>,
"Matthew Maurer" <mmaurer@google.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
"Rafael J. Wysocki" <rafael@kernel.org>,
"Sami Tolvanen" <samitolvanen@google.com>,
"Timur Tabi" <ttabi@nvidia.com>,
linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org
Subject: Re: [PATCH v5 4/4] rust: samples: Add debugfs sample
Date: Thu, 22 May 2025 17:40:43 +0000 [thread overview]
Message-ID: <aC9hm9D458C6LsRW@google.com> (raw)
In-Reply-To: <2025052201-return-reprogram-add9@gregkh>
On Thu, May 22, 2025 at 04:15:46PM +0200, Greg Kroah-Hartman wrote:
> > > Well, take the case I described above, where the debugfs "root" is created in
> > > the module scope, but subsequent entries are created by driver instances. If a
> > > driver would use keep() in such a case, we'd effectively the file / directory
> > > (and subsequently also the corresponding memory) everytime a device is unplugged
> > > (or unbound in general)."
> > >
> > > If the module is built-in the directory from the module scope is *never*
> > > removed, but the entries the driver e.g. creates in probe() for a particular
> > > device with keep() will pile up endlessly, especially for hot-pluggable devices.
> > >
> > > (It's getting even worse when there's data bound to such a leaked file, that
> > > might even contain a vtable that is entered from any of the fops of the file.)
> > >
> > > That'd be clearly a bug, but for the driver author calling keep() seems like a
> > > valid thing to do -- to me that's clearly a built-in footgun.
> >
> > I mean, for cases such as this, I could imagine that you use `keep()` on
> > the files stored inside of the driver directory, but don't use it on the
> > directory. That way, you only have to keep a single reference to an
> > entire directory around, which may be more convenient.
>
> No, sorry, but debugfs files are "create and forget" type of things.
> The caller has NO reference back to the file at all in the C version,
> let's not add that functionality back to the rust side after I spent a
> long time removing it from the C code :)
>
> If you really want to delete a debugfs file that you have created in the
> past, then look it up and delete it with the call that is present for
> that.
>
> The only thing I think that might be worth "keeping" in some form, as an
> object reference as discussed, is a debugfs directory.
That could work if we don't have any Rust value for files at all. The
problem is that if we do have such values, then code like this:
let my_file = dir.create_file("my_file_name");
dir.delete_file("my_file_name");
my_file.do_something();
would be a UAF on the last line. We have to design the Rust API to avoid
such UAF, which is why I suggested the ghost objects; the delete_file()
call leaves my_file in a valid but useless state. And as a ghost object,
the .do_something() call becomes a no-op since the file is now missing
from the filesystem.
Alice
next prev parent reply other threads:[~2025-05-22 17:40 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 23:51 [PATCH v5 0/4] rust: DebugFS Bindings Matthew Maurer
2025-05-05 23:51 ` [PATCH v5 1/4] rust: debugfs: Bind DebugFS directory creation Matthew Maurer
2025-05-07 18:46 ` Timur Tabi
2025-05-14 22:26 ` Matthew Maurer
2025-05-14 7:33 ` Benno Lossin
2025-05-14 8:49 ` Greg Kroah-Hartman
2025-05-14 9:38 ` Benno Lossin
2025-05-05 23:51 ` [PATCH v5 2/4] rust: debugfs: Bind file creation for long-lived Display Matthew Maurer
2025-05-07 19:04 ` Timur Tabi
2025-05-07 19:41 ` Timur Tabi
2025-05-09 12:56 ` Alice Ryhl
2025-05-12 20:51 ` Timur Tabi
2025-05-14 8:06 ` Benno Lossin
2025-05-05 23:51 ` [PATCH v5 3/4] rust: debugfs: Support format hooks Matthew Maurer
2025-05-05 23:51 ` [PATCH v5 4/4] rust: samples: Add debugfs sample Matthew Maurer
2025-05-14 7:20 ` Benno Lossin
2025-05-14 9:07 ` Danilo Krummrich
2025-05-14 9:54 ` Benno Lossin
2025-05-14 11:24 ` Danilo Krummrich
2025-05-14 12:21 ` Benno Lossin
2025-05-14 13:04 ` Danilo Krummrich
2025-05-14 22:14 ` Matthew Maurer
2025-05-14 22:08 ` Matthew Maurer
2025-05-14 22:14 ` Danilo Krummrich
2025-05-14 22:23 ` Matthew Maurer
2025-05-14 22:32 ` Matthew Maurer
2025-05-14 22:40 ` Timur Tabi
2025-05-14 22:42 ` Matthew Maurer
2025-05-15 7:43 ` gregkh
2025-05-15 8:50 ` Benno Lossin
2025-05-14 21:55 ` Matthew Maurer
2025-05-14 22:18 ` Danilo Krummrich
2025-05-15 8:59 ` Benno Lossin
2025-05-15 11:43 ` Greg Kroah-Hartman
2025-05-15 12:37 ` Danilo Krummrich
2025-05-15 12:55 ` Benno Lossin
2025-05-20 21:24 ` Alice Ryhl
2025-05-21 4:47 ` Greg Kroah-Hartman
2025-05-21 22:40 ` Alice Ryhl
2025-05-21 7:57 ` Danilo Krummrich
2025-05-21 22:43 ` Alice Ryhl
2025-05-22 6:25 ` Danilo Krummrich
2025-05-22 8:28 ` Greg Kroah-Hartman
2025-05-22 14:01 ` Alice Ryhl
2025-05-22 14:15 ` Greg Kroah-Hartman
2025-05-22 17:40 ` Alice Ryhl [this message]
2025-05-22 20:26 ` Benno Lossin
2025-05-23 9:15 ` Greg Kroah-Hartman
2025-05-22 17:53 ` Danilo Krummrich
2025-05-23 9:14 ` Greg Kroah-Hartman
2025-05-23 9:42 ` Danilo Krummrich
2025-05-23 10:22 ` Greg Kroah-Hartman
2025-05-23 17:09 ` Alice Ryhl
2025-05-24 12:25 ` Danilo Krummrich
2025-05-27 11:38 ` Alice Ryhl
2025-05-27 11:50 ` Danilo Krummrich
2025-06-10 17:54 ` Matthew Maurer
2025-05-23 17:06 ` Alice Ryhl
2025-05-07 16:49 ` [PATCH v5 0/4] rust: DebugFS Bindings Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aC9hm9D458C6LsRW@google.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lossin@kernel.org \
--cc=mmaurer@google.com \
--cc=ojeda@kernel.org \
--cc=rafael@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=samitolvanen@google.com \
--cc=tmgross@umich.edu \
--cc=ttabi@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.