Re: Re: Re: [PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[Greg KH <gregkh@linuxfoundation.org>]

On Tue, Dec 23, 2025 at 10:12:48AM +0800, yangshiguang wrote:
> At 2025-12-22 22:11:38, "Greg KH" <gregkh@linuxfoundation.org> wrote:
> >On Mon, Dec 22, 2025 at 08:41:33PM +0800, yangshiguang wrote:
> >> 
> >> At 2025-12-22 19:54:22, "Greg KH" <gregkh@linuxfoundation.org> wrote:
> >> >On Mon, Dec 22, 2025 at 05:36:16PM +0800, yangshiguang1011@163.com wrote:
> >> >> From: yangshiguang <yangshiguang@xiaomi.com>
> >> >> 
> >> >> Check in debugfs_read_file_str() if the string pointer is NULL.
> >> >> 
> >> >> When creating a node using debugfs_create_str(), the string parameter
> >> >> value can be NULL to indicate empty/unused/ignored.
> >> >
> >> >Why would you create an empty debugfs string file?  That is not ok, we
> >> >should change that to not allow this.
> >> 
> >> Hi greg k-h,
> >> 
> >> Thanks for your reply.
> >> 
> >> This is due to the usage step, should write first and then read.
> >> However, there is no way to guarantee that everyone will know about this step.
> >
> >True.
> >
> >> And debugfs_create_str() allows passing in a NULL string. 
> >
> >Then we should fix that :)
> >
> >> Therefore, when reading a NULL string, should return an invalid error 
> >> instead of panic.
> >
> >If you call write on a NULL string, then you could call strlen() of that
> >NULL string, and do a memcpy out of that NULL string.  All not good
> >things, so your quick fix here really doesn't solve the root problem :(
> >
> 
> We all know that the problem is a NULL pointer exceptions that occur in strlen().
> However, strlen() is basic function, and we cannot pass abnormal parameters.
> We should intercept them, and this is common in the kernel.
> That's why I submitted this patch.
> 
> >> >>  	str = *(char **)file->private_data;
> >> >> +	if (!str)
> >> >> +		return -EINVAL;
> >> >
> >> >What in kernel user causes this to happen?  Let's fix that up instead
> >> >please.
> >> >
> >> 
> >> Currently I known problematic nodes in the kernel:
> >> 
> >> drivers/interconnect/debugfs-client.c:
> >>   155: 	debugfs_create_str("src_node", 0600, client_dir, &src_node);
> >>   156: 	debugfs_create_str("dst_node", 0600, client_dir, &dst_node);
> >
> >Ick, ok, that should be fixed.
> >
> >> drivers/soundwire/debugfs.c:
> >>   362: 	debugfs_create_str("firmware_file", 0200, d, &firmware_file);
> >
> >That too should be fixed, all should just create an "empty" string to
> >start with.
> >
> >> test case:
> >> 1. create a NULL string node
> >> char *test_node = NULL;
> >> debugfs_create_str("test_node", 0600, parent_dir, &test_node);
> >> 
> >> 2. read the node, like bellow:
> >> cat /sys/kernel/debug/test_node
> >
> >With your patch, you could change step 2 to do a write, and still cause
> >a crash :)
> >
> 
> This shouldn't happen. The write node calls debugfs_write_file_str().
> My test results:
> $: cat dst_node
> $: cat: dst_node: Invalid argument

I would argue that this is not ok, it should just return an empty value.

> 1|&: echo 1 > dst_node
> $: cat dst_node
> $: 1
> 
> Anyway, please show the stack.

If you call write on a NULL string, with an offset set, it will crash
based on the code paths.  I don't have a traceback as I don't want to
write the code to crash my running system at the moment :)

> >So let's fix this properly, let's just fail the creation of NULL
> >strings, and fix up all callers.
> >
> 
> As mentioned above, we shold allow the creation of NULL string nodes
> to indicate empty/unused/ignored.

No, that's not a good idea, let's just fix this properly and not allow
such things at all.  If someone really wants to do this "no value set is
illegal", then they can write their own debugfs callbacks and not use
the built-in helper.

And really, the string debugfs helper has been such a pain over the
years, I'm regretting even accepting it at all :(

thanks,

greg k-h