From: Johannes Berg <johannes@sipsolutions.net>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, nstange@suse.de,
ap420073@gmail.com, David.Laight@aculab.com,
netdev@vger.kernel.org, linux-wireless@vger.kernel.org,
rafael@kernel.org
Subject: Re: [CRAZY-RFF] debugfs: track open files and release on remove
Date: Sat, 10 Oct 2020 12:47:21 +0200 [thread overview]
Message-ID: <dd78ce5ae126de24a1e24c4e410f3ded69b8bc6a.camel@sipsolutions.net> (raw)
In-Reply-To: <20201010093824.GA986556@kroah.com>
On Sat, 2020-10-10 at 11:38 +0200, Greg KH wrote:
> On Fri, Oct 09, 2020 at 10:48:09AM +0200, Johannes Berg wrote:
> > On Fri, 2020-10-09 at 10:47 +0200, Greg KH wrote:
> >
> > > > I think adding the .owner everywhere would be good, and perhaps we can
> > > > somehow put a check somewhere like
> > > >
> > > > WARN_ON(is_module_address((unsigned long)fops) && !fops->owner);
> > > >
> > > > to prevent the issue in the future?
> > >
> > > That will fail for all of the debugfs_create_* operations, as there is
> > > only one set of file operations for all of the different files created
> > > with these calls.
> >
> > Why would it fail? Those have their fops in the core debugfs code, which
> > might have a .owner assigned but is probably built-in anyway?
>
> Bad choice of terms, it would "fail" in that this type of check would
> never actually work because the debugfs code is built into the kernel,
> and there is no module owner for it. But the value it is referencing is
> an address in a module.
Ahh.
Yes and no. I mean, yes, the check wouldn't really work.
But OTOH, this is exactly what the proxy_fops protects against.
The _only_ thing that proxy_fops *doesn't* proxy is the ->release()
method.
If you have a debugfs file that's say debugfs_create_u32(), then the
code is all built into the kernel, and - if ->release() even exists, I
didn't check now - it would surely not dereference the pointer you gave
to debugfs_create_u32(). So as long as the file is debugfs_remove()d
before the pointer becomes invalid, there's no issue.
The check I'm proposing (and actually wrote in my separate RFC patch
that didn't seem quite as crazy) would basically protect the ->release()
method only, if needed. Everything else is handled by proxy_fops.
> > > Which, now that I remember it, is why we went down the proxy "solution"
> > > in the first place :(
> >
> > Not sure I understand. That was related more to (arbitrary) files having
> > to be disappeared rather than anything else?
>
> Isn't this the same issue?
Well, not exactly? The difference is that proxy_fops basically protects
the *value*, read/write/etc., but not ->release(). So it protects more
against bus unbind or the like, where the *device* disappears, rather
than the *code* disappearing.
Now, you still need to be careful that ->release() doesn't actually
access anything related to the device, of course. As long as we don't
have a general revoke() at least.
I guess in that sense this crazy patch actually makes things *better*
than the RFC patch because it *does* call the ->release() during
debugfs_remove() and therefore allows even ->release() to access data of
the device or other data structures that are being removed; whereas the
RFC patch I also sent doesn't protect that, it just protects the code
itself.
johannes
prev parent reply other threads:[~2020-10-10 23:10 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-08 15:48 [PATCH net 000/117] net: avoid to remove module when its debugfs is being used Taehee Yoo
2020-10-08 15:59 ` David Laight
2020-10-08 16:14 ` Johannes Berg
2020-10-08 16:37 ` Taehee Yoo
2020-10-09 5:38 ` Nicolai Stange
2020-10-09 10:07 ` Taehee Yoo
2020-10-09 5:09 ` Nicolai Stange
2020-10-09 7:45 ` Johannes Berg
2020-10-09 10:15 ` Taehee Yoo
2020-10-09 10:21 ` Johannes Berg
2020-10-09 10:41 ` [RFC] debugfs: protect against rmmod while files are open Johannes Berg
2020-10-09 10:48 ` Johannes Berg
2020-10-09 10:56 ` David Laight
2020-10-09 10:56 ` Johannes Berg
2020-10-09 11:15 ` gregkh
2020-10-09 15:33 ` [PATCH net 000/117] net: avoid to remove module when its debugfs is being used Steve deRosier
2020-10-09 7:53 ` [CRAZY-RFF] debugfs: track open files and release on remove Johannes Berg
2020-10-09 8:03 ` Greg KH
2020-10-09 8:06 ` Johannes Berg
2020-10-09 8:16 ` Greg KH
2020-10-09 8:19 ` Johannes Berg
2020-10-09 8:34 ` David Laight
2020-10-09 8:44 ` Johannes Berg
2020-10-09 9:00 ` David Laight
2020-10-09 8:47 ` Greg KH
2020-10-09 8:48 ` Johannes Berg
2020-10-10 9:38 ` Greg KH
2020-10-10 10:47 ` Johannes Berg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd78ce5ae126de24a1e24c4e410f3ded69b8bc6a.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=David.Laight@aculab.com \
--cc=ap420073@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nstange@suse.de \
--cc=rafael@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).