[PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[yangshiguang1011]

From: yangshiguang <yangshiguang@xiaomi.com>

Check in debugfs_read_file_str() if the string pointer is NULL.

When creating a node using debugfs_create_str(), the string parameter
value can be NULL to indicate empty/unused/ignored.
However, reading this node using debugfs_read_file_str() will cause a
kernel panic.
This should not be fatal, so return an invalid error.

Signed-off-by: yangshiguang <yangshiguang@xiaomi.com>
Fixes: 9af0440ec86e ("debugfs: Implement debugfs_create_str()")
Cc: stable@vger.kernel.org
---
 fs/debugfs/file.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 3ec3324c2060..a22ff0ceb230 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -1026,6 +1026,9 @@ ssize_t debugfs_read_file_str(struct file *file, char __user *user_buf,
 		return ret;
 
 	str = *(char **)file->private_data;
+	if (!str)
+		return -EINVAL;
+
 	len = strlen(str) + 1;
 	copy = kmalloc(len, GFP_KERNEL);
 	if (!copy) {
-- 
2.43.0

Re: [PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[Greg KH]

On Mon, Dec 22, 2025 at 05:36:16PM +0800, yangshiguang1011@163.com wrote:
> From: yangshiguang <yangshiguang@xiaomi.com>
> 
> Check in debugfs_read_file_str() if the string pointer is NULL.
> 
> When creating a node using debugfs_create_str(), the string parameter
> value can be NULL to indicate empty/unused/ignored.

Why would you create an empty debugfs string file?  That is not ok, we
should change that to not allow this.

> However, reading this node using debugfs_read_file_str() will cause a
> kernel panic.
> This should not be fatal, so return an invalid error.
> 
> Signed-off-by: yangshiguang <yangshiguang@xiaomi.com>
> Fixes: 9af0440ec86e ("debugfs: Implement debugfs_create_str()")
> Cc: stable@vger.kernel.org
> ---
>  fs/debugfs/file.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
> index 3ec3324c2060..a22ff0ceb230 100644
> --- a/fs/debugfs/file.c
> +++ b/fs/debugfs/file.c
> @@ -1026,6 +1026,9 @@ ssize_t debugfs_read_file_str(struct file *file, char __user *user_buf,
>  		return ret;
>  
>  	str = *(char **)file->private_data;
> +	if (!str)
> +		return -EINVAL;

What in kernel user causes this to happen?  Let's fix that up instead
please.

thanks,

greg k-h

Re:Re: [PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[yangshiguang]

At 2025-12-22 19:54:22, "Greg KH" <gregkh@linuxfoundation.org> wrote:
>On Mon, Dec 22, 2025 at 05:36:16PM +0800, yangshiguang1011@163.com wrote:
>> From: yangshiguang <yangshiguang@xiaomi.com>
>> 
>> Check in debugfs_read_file_str() if the string pointer is NULL.
>> 
>> When creating a node using debugfs_create_str(), the string parameter
>> value can be NULL to indicate empty/unused/ignored.
>
>Why would you create an empty debugfs string file?  That is not ok, we
>should change that to not allow this.

Hi greg k-h,

Thanks for your reply.

This is due to the usage step, should write first and then read.
However, there is no way to guarantee that everyone will know about this step.

And debugfs_create_str() allows passing in a NULL string. 
Therefore, when reading a NULL string, should return an invalid error 
instead of panic.

>
>> However, reading this node using debugfs_read_file_str() will cause a
>> kernel panic.
>> This should not be fatal, so return an invalid error.
>> 
>> Signed-off-by: yangshiguang <yangshiguang@xiaomi.com>
>> Fixes: 9af0440ec86e ("debugfs: Implement debugfs_create_str()")
>> Cc: stable@vger.kernel.org
>> ---
>>  fs/debugfs/file.c | 3 +++
>>  1 file changed, 3 insertions(+)
>> 
>> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
>> index 3ec3324c2060..a22ff0ceb230 100644
>> --- a/fs/debugfs/file.c
>> +++ b/fs/debugfs/file.c
>> @@ -1026,6 +1026,9 @@ ssize_t debugfs_read_file_str(struct file *file, char __user *user_buf,
>>  		return ret;
>>  
>>  	str = *(char **)file->private_data;
>> +	if (!str)
>> +		return -EINVAL;
>
>What in kernel user causes this to happen?  Let's fix that up instead
>please.
>

Currently I known problematic nodes in the kernel:

drivers/interconnect/debugfs-client.c:
  155: 	debugfs_create_str("src_node", 0600, client_dir, &src_node);
  156: 	debugfs_create_str("dst_node", 0600, client_dir, &dst_node);
drivers/soundwire/debugfs.c:
  362: 	debugfs_create_str("firmware_file", 0200, d, &firmware_file);

test case:
1. create a NULL string node
char *test_node = NULL;
debugfs_create_str("test_node", 0600, parent_dir, &test_node);

2. read the node, like bellow:
cat /sys/kernel/debug/test_node

>thanks,
>
>greg k-h

Re: Re: [PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[Greg KH]

On Mon, Dec 22, 2025 at 08:41:33PM +0800, yangshiguang wrote:
> 
> At 2025-12-22 19:54:22, "Greg KH" <gregkh@linuxfoundation.org> wrote:
> >On Mon, Dec 22, 2025 at 05:36:16PM +0800, yangshiguang1011@163.com wrote:
> >> From: yangshiguang <yangshiguang@xiaomi.com>
> >> 
> >> Check in debugfs_read_file_str() if the string pointer is NULL.
> >> 
> >> When creating a node using debugfs_create_str(), the string parameter
> >> value can be NULL to indicate empty/unused/ignored.
> >
> >Why would you create an empty debugfs string file?  That is not ok, we
> >should change that to not allow this.
> 
> Hi greg k-h,
> 
> Thanks for your reply.
> 
> This is due to the usage step, should write first and then read.
> However, there is no way to guarantee that everyone will know about this step.

True.

> And debugfs_create_str() allows passing in a NULL string. 

Then we should fix that :)

> Therefore, when reading a NULL string, should return an invalid error 
> instead of panic.

If you call write on a NULL string, then you could call strlen() of that
NULL string, and do a memcpy out of that NULL string.  All not good
things, so your quick fix here really doesn't solve the root problem :(

> >>  	str = *(char **)file->private_data;
> >> +	if (!str)
> >> +		return -EINVAL;
> >
> >What in kernel user causes this to happen?  Let's fix that up instead
> >please.
> >
> 
> Currently I known problematic nodes in the kernel:
> 
> drivers/interconnect/debugfs-client.c:
>   155: 	debugfs_create_str("src_node", 0600, client_dir, &src_node);
>   156: 	debugfs_create_str("dst_node", 0600, client_dir, &dst_node);

Ick, ok, that should be fixed.

> drivers/soundwire/debugfs.c:
>   362: 	debugfs_create_str("firmware_file", 0200, d, &firmware_file);

That too should be fixed, all should just create an "empty" string to
start with.

> test case:
> 1. create a NULL string node
> char *test_node = NULL;
> debugfs_create_str("test_node", 0600, parent_dir, &test_node);
> 
> 2. read the node, like bellow:
> cat /sys/kernel/debug/test_node

With your patch, you could change step 2 to do a write, and still cause
a crash :)

So let's fix this properly, let's just fail the creation of NULL
strings, and fix up all callers.

thanks,

greg k-h

Re:Re: Re: [PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[yangshiguang]

At 2025-12-22 22:11:38, "Greg KH" <gregkh@linuxfoundation.org> wrote:
>On Mon, Dec 22, 2025 at 08:41:33PM +0800, yangshiguang wrote:
>> 
>> At 2025-12-22 19:54:22, "Greg KH" <gregkh@linuxfoundation.org> wrote:
>> >On Mon, Dec 22, 2025 at 05:36:16PM +0800, yangshiguang1011@163.com wrote:
>> >> From: yangshiguang <yangshiguang@xiaomi.com>
>> >> 
>> >> Check in debugfs_read_file_str() if the string pointer is NULL.
>> >> 
>> >> When creating a node using debugfs_create_str(), the string parameter
>> >> value can be NULL to indicate empty/unused/ignored.
>> >
>> >Why would you create an empty debugfs string file?  That is not ok, we
>> >should change that to not allow this.
>> 
>> Hi greg k-h,
>> 
>> Thanks for your reply.
>> 
>> This is due to the usage step, should write first and then read.
>> However, there is no way to guarantee that everyone will know about this step.
>
>True.
>
>> And debugfs_create_str() allows passing in a NULL string. 
>
>Then we should fix that :)
>
>> Therefore, when reading a NULL string, should return an invalid error 
>> instead of panic.
>
>If you call write on a NULL string, then you could call strlen() of that
>NULL string, and do a memcpy out of that NULL string.  All not good
>things, so your quick fix here really doesn't solve the root problem :(
>

We all know that the problem is a NULL pointer exceptions that occur in strlen().
However, strlen() is basic function, and we cannot pass abnormal parameters.
We should intercept them, and this is common in the kernel.
That's why I submitted this patch.

>> >>  	str = *(char **)file->private_data;
>> >> +	if (!str)
>> >> +		return -EINVAL;
>> >
>> >What in kernel user causes this to happen?  Let's fix that up instead
>> >please.
>> >
>> 
>> Currently I known problematic nodes in the kernel:
>> 
>> drivers/interconnect/debugfs-client.c:
>>   155: 	debugfs_create_str("src_node", 0600, client_dir, &src_node);
>>   156: 	debugfs_create_str("dst_node", 0600, client_dir, &dst_node);
>
>Ick, ok, that should be fixed.
>
>> drivers/soundwire/debugfs.c:
>>   362: 	debugfs_create_str("firmware_file", 0200, d, &firmware_file);
>
>That too should be fixed, all should just create an "empty" string to
>start with.
>
>> test case:
>> 1. create a NULL string node
>> char *test_node = NULL;
>> debugfs_create_str("test_node", 0600, parent_dir, &test_node);
>> 
>> 2. read the node, like bellow:
>> cat /sys/kernel/debug/test_node
>
>With your patch, you could change step 2 to do a write, and still cause
>a crash :)
>

This shouldn't happen. The write node calls debugfs_write_file_str().
My test results:
$: cat dst_node
$: cat: dst_node: Invalid argument
1|&: echo 1 > dst_node
$: cat dst_node
$: 1

Anyway, please show the stack.

>So let's fix this properly, let's just fail the creation of NULL
>strings, and fix up all callers.
>

As mentioned above, we shold allow the creation of NULL string nodes
to indicate empty/unused/ignored.

>thanks,
>
>greg k-h

Re: Re: Re: [PATCH] debugfs: Fix NULL pointer dereference at debugfs_read_file_str

[Greg KH]

On Tue, Dec 23, 2025 at 10:12:48AM +0800, yangshiguang wrote:
> At 2025-12-22 22:11:38, "Greg KH" <gregkh@linuxfoundation.org> wrote:
> >On Mon, Dec 22, 2025 at 08:41:33PM +0800, yangshiguang wrote:
> >> 
> >> At 2025-12-22 19:54:22, "Greg KH" <gregkh@linuxfoundation.org> wrote:
> >> >On Mon, Dec 22, 2025 at 05:36:16PM +0800, yangshiguang1011@163.com wrote:
> >> >> From: yangshiguang <yangshiguang@xiaomi.com>
> >> >> 
> >> >> Check in debugfs_read_file_str() if the string pointer is NULL.
> >> >> 
> >> >> When creating a node using debugfs_create_str(), the string parameter
> >> >> value can be NULL to indicate empty/unused/ignored.
> >> >
> >> >Why would you create an empty debugfs string file?  That is not ok, we
> >> >should change that to not allow this.
> >> 
> >> Hi greg k-h,
> >> 
> >> Thanks for your reply.
> >> 
> >> This is due to the usage step, should write first and then read.
> >> However, there is no way to guarantee that everyone will know about this step.
> >
> >True.
> >
> >> And debugfs_create_str() allows passing in a NULL string. 
> >
> >Then we should fix that :)
> >
> >> Therefore, when reading a NULL string, should return an invalid error 
> >> instead of panic.
> >
> >If you call write on a NULL string, then you could call strlen() of that
> >NULL string, and do a memcpy out of that NULL string.  All not good
> >things, so your quick fix here really doesn't solve the root problem :(
> >
> 
> We all know that the problem is a NULL pointer exceptions that occur in strlen().
> However, strlen() is basic function, and we cannot pass abnormal parameters.
> We should intercept them, and this is common in the kernel.
> That's why I submitted this patch.
> 
> >> >>  	str = *(char **)file->private_data;
> >> >> +	if (!str)
> >> >> +		return -EINVAL;
> >> >
> >> >What in kernel user causes this to happen?  Let's fix that up instead
> >> >please.
> >> >
> >> 
> >> Currently I known problematic nodes in the kernel:
> >> 
> >> drivers/interconnect/debugfs-client.c:
> >>   155: 	debugfs_create_str("src_node", 0600, client_dir, &src_node);
> >>   156: 	debugfs_create_str("dst_node", 0600, client_dir, &dst_node);
> >
> >Ick, ok, that should be fixed.
> >
> >> drivers/soundwire/debugfs.c:
> >>   362: 	debugfs_create_str("firmware_file", 0200, d, &firmware_file);
> >
> >That too should be fixed, all should just create an "empty" string to
> >start with.
> >
> >> test case:
> >> 1. create a NULL string node
> >> char *test_node = NULL;
> >> debugfs_create_str("test_node", 0600, parent_dir, &test_node);
> >> 
> >> 2. read the node, like bellow:
> >> cat /sys/kernel/debug/test_node
> >
> >With your patch, you could change step 2 to do a write, and still cause
> >a crash :)
> >
> 
> This shouldn't happen. The write node calls debugfs_write_file_str().
> My test results:
> $: cat dst_node
> $: cat: dst_node: Invalid argument

I would argue that this is not ok, it should just return an empty value.

> 1|&: echo 1 > dst_node
> $: cat dst_node
> $: 1
> 
> Anyway, please show the stack.

If you call write on a NULL string, with an offset set, it will crash
based on the code paths.  I don't have a traceback as I don't want to
write the code to crash my running system at the moment :)

> >So let's fix this properly, let's just fail the creation of NULL
> >strings, and fix up all callers.
> >
> 
> As mentioned above, we shold allow the creation of NULL string nodes
> to indicate empty/unused/ignored.

No, that's not a good idea, let's just fix this properly and not allow
such things at all.  If someone really wants to do this "no value set is
illegal", then they can write their own debugfs callbacks and not use
the built-in helper.

And really, the string debugfs helper has been such a pain over the
years, I'm regretting even accepting it at all :(

thanks,

greg k-h