| Message ID | 20230516160753.32317-4-rf@opensource.cirrus.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp543359vqo;
Tue, 16 May 2023 09:11:29 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ65EqD8NE3fYxVOZTHJLX/5y2uyGbvxu71Mzu7KnaXoq5y05EysuI35sx/AG/xY16i8rw0D
X-Received: by 2002:a05:6870:898f:b0:192:70ca:da4 with SMTP id
f15-20020a056870898f00b0019270ca0da4mr23270849oaq.10.1684253488861;
Tue, 16 May 2023 09:11:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684253488; cv=none;
d=google.com; s=arc-20160816;
b=sG8Rq6fd9s3+vUaZOpp0WTVWULR+Xm2QZ6jK+e+YsK6cKNj1i1jvKzmxY6Kv5oPI81
AE8cRS2vOEDgvSgNpXb1FxoLuB/e9SUtx1bT6Ef9IULzTv0lgWCEpAXAw/IRJt3t5Rsm
yvqhwtymCrJE8vb+Kj18bVfw1pliE4NRwaq2OigocM0b6NQO7IEzB/E9rB9O6IYubcr+
23kCFgSyD+Mi87hOGb/YDbEd8Ix1FX3efoTt24fnBhOmNjEijfWLkwIILmWGhcrqtkaf
BNDJWbEaJoC5sH4xMFoT/o1bohu6jgN4zS1bcPqVQ+PNl0DG2HqpDkWCWIayvLdoWwLK
LRYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=+MDWXt5D6nc/s9cRAPjbV0EysPuWW1pUM4Nf/uIC2MA=;
b=GNJtNCFngvGAecEXd+CQcn4RpRMkq/QuFWMcoCv5FG/QexcdjvFqBZayoPzeItDr3V
DUrxJuTPqlS1tBrx8sTuh1gm3Ge7O9QD+jPTbed0QydzGpO6TiBpE4/Kr2POr6ziqDrW
iLhPwvAoOVU0q1Y3qgyez+lONEZT2VRYCSwox/412lQH3XvwsXLxIfdAydCYJ99HhZN9
gEaEJQBgcc2ftqihxklgue2zz9V6qxdGVeGJ39R/qOtLfhuNrWpYkRpLn4UXQyj+jt8j
xTxlW89FrXMwC+12LlnPQfHzpfY/WpC+lU5YsuuFED0KPt3cTKv6JINXVJrFn+qrKoXj
4YFA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@cirrus.com header.s=PODMain02222019
header.b=Rmr3LlMw;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cirrus.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
k20-20020a056870819400b00199aad87a98si4828470oae.215.2023.05.16.09.11.14;
Tue, 16 May 2023 09:11:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@cirrus.com header.s=PODMain02222019
header.b=Rmr3LlMw;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cirrus.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234513AbjEPQJa (ORCPT <rfc822;peekingduck44@gmail.com>
+ 99 others); Tue, 16 May 2023 12:09:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33316 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234113AbjEPQIu (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 16 May 2023 12:08:50 -0400
Received: from mx0b-001ae601.pphosted.com (mx0b-001ae601.pphosted.com
[67.231.152.168])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BDB8BA27F
for <linux-kernel@vger.kernel.org>;
Tue, 16 May 2023 09:08:31 -0700 (PDT)
Received: from pps.filterd (m0077474.ppops.net [127.0.0.1])
by mx0b-001ae601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
34GFMCaf029111;
Tue, 16 May 2023 11:08:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cirrus.com;
h=from : to : cc :
subject : date : message-id : in-reply-to : references : mime-version :
content-transfer-encoding : content-type; s=PODMain02222019;
bh=+MDWXt5D6nc/s9cRAPjbV0EysPuWW1pUM4Nf/uIC2MA=;
b=Rmr3LlMw/YzMnqh5fHSrsIYUIu3t91HB1bUpUMYOn/G+MCLGiFjiny3G9qkMthTeFwrh
tMdvfd4OPFjixYQ+Oh/vTWM1C62ungDPRVe6eWBHQUAavqi0FpEJ+LqClY7mzy4xNiD9
p3ONybZbxk8bErJhFUYzCTwMWJ9jvjJCSP9y2ORT/Kyk3yY/z/Th4gGV9O5QryF+Z3zS
qVIjk1T82+YIYwdWaKNQxUvc1nthJQKVsWQwhzQjCi65sm9bv4+GZLc37NQNuBF4gL5N
wqtPlt2ofc3BAV93ApkKpu3GZI9EX1+tctQwL76CKKIfjV2mZUHMfyVqxGAey+9ThpBu 0w==
Received: from ediex01.ad.cirrus.com ([84.19.233.68])
by mx0b-001ae601.pphosted.com (PPS) with ESMTPS id 3qj6ymvnvm-3
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=NOT);
Tue, 16 May 2023 11:07:59 -0500
Received: from ediex01.ad.cirrus.com (198.61.84.80) by ediex01.ad.cirrus.com
(198.61.84.80) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Tue, 16 May
2023 11:07:56 -0500
Received: from ediswmail.ad.cirrus.com (198.61.86.93) by ediex01.ad.cirrus.com
(198.61.84.80) with Microsoft SMTP Server id 15.2.1118.26 via Frontend
Transport; Tue, 16 May 2023 11:07:56 -0500
Received: from EDIN4L06LR3.ad.cirrus.com (EDIN4L06LR3.ad.cirrus.com
[198.61.64.66])
by ediswmail.ad.cirrus.com (Postfix) with ESMTP id AC99111A8;
Tue, 16 May 2023 16:07:56 +0000 (UTC)
From: Richard Fitzgerald <rf@opensource.cirrus.com>
To: <gregkh@linuxfoundation.org>, <rafael@kernel.org>
CC: <linux-kernel@vger.kernel.org>, <patches@opensource.cirrus.com>,
Richard Fitzgerald <rf@opensource.cirrus.com>
Subject: [PATCH 3/5] debugfs: Update debugfs_create_str() kerneldoc to warn
about pointer race
Date: Tue, 16 May 2023 17:07:51 +0100
Message-ID: <20230516160753.32317-4-rf@opensource.cirrus.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20230516160753.32317-1-rf@opensource.cirrus.com>
References: <20230516160753.32317-1-rf@opensource.cirrus.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Proofpoint-GUID: Of7ZDDsEtC4tmVWJr_igdUJqwZdbJ2F7
X-Proofpoint-ORIG-GUID: Of7ZDDsEtC4tmVWJr_igdUJqwZdbJ2F7
X-Proofpoint-Spam-Reason: safe
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS,
T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1766067786560976410?=
X-GMAIL-MSGID: =?utf-8?q?1766067786560976410?=
|
| Series |
debugfs: Fixes and improvements to debugfs_create_str()
|
|
Commit Message
Richard Fitzgerald
May 16, 2023, 4:07 p.m. UTC
Add a warning to the debugfs_create_str() kerneldoc that the char * pointer
value must not change after the function returns, because of a race with
debugfs_read_file_str() accessing the pointer.
The only safe case is a change from NULL to non-NULL because in that case
debugfs_read_file_str() will see either the NULL or the valid pointer.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
---
fs/debugfs/file.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
Comments
On Tue, May 16, 2023 at 05:07:51PM +0100, Richard Fitzgerald wrote: > Add a warning to the debugfs_create_str() kerneldoc that the char * pointer > value must not change after the function returns, because of a race with > debugfs_read_file_str() accessing the pointer. > > The only safe case is a change from NULL to non-NULL because in that case > debugfs_read_file_str() will see either the NULL or the valid pointer. > > Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> > --- > fs/debugfs/file.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c > index 0c039a3d9a42..77794871f26d 100644 > --- a/fs/debugfs/file.c > +++ b/fs/debugfs/file.c > @@ -938,11 +938,18 @@ static const struct file_operations fops_str_wo = { > * directory dentry if set. If this parameter is %NULL, then the > * file will be created in the root of the debugfs filesystem. > * @value: a pointer to the variable that the file should read to and write > - * from. > + * from. The char* pointer must not change, except from NULL to > + * non-NULL. This feels odd. Why wouldn't you want to change the string value? Or why would you? And why is this one-way transition ok? Given that this is only used internally, why is it exported? thanks, greg k-h
On 16/5/23 17:35, Greg KH wrote: > On Tue, May 16, 2023 at 05:07:51PM +0100, Richard Fitzgerald wrote: >> Add a warning to the debugfs_create_str() kerneldoc that the char * pointer >> value must not change after the function returns, because of a race with >> debugfs_read_file_str() accessing the pointer. >> >> The only safe case is a change from NULL to non-NULL because in that case >> debugfs_read_file_str() will see either the NULL or the valid pointer. >> >> Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> >> --- >> fs/debugfs/file.c | 9 ++++++++- >> 1 file changed, 8 insertions(+), 1 deletion(-) >> >> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c >> index 0c039a3d9a42..77794871f26d 100644 >> --- a/fs/debugfs/file.c >> +++ b/fs/debugfs/file.c >> @@ -938,11 +938,18 @@ static const struct file_operations fops_str_wo = { >> * directory dentry if set. If this parameter is %NULL, then the >> * file will be created in the root of the debugfs filesystem. >> * @value: a pointer to the variable that the file should read to and write >> - * from. >> + * from. The char* pointer must not change, except from NULL to >> + * non-NULL. > > This feels odd. Why wouldn't you want to change the string value? Or > why would you? Well, if you _would_ want to change the string value, then the implementation of debugfs_create_str() is certainly broken and could only be fixed by involving a shared mutex to protect use of the pointer. > > And why is this one-way transition ok? > This one case happens to be safe because it either sees NULL (which it handles) or a valid pointer (which is ok). It will not result in using a stale pointer. This wasn't a deliberate design intent but happens to be safe, and easily maintainable behavior. A transition from valid->NULL or old->new isn't safe because the read function could get the old pointer but racing with that is the change to the pointer, and so the debugfs code could try to use a stale pointer. > Given that this is only used internally, why is it exported? > It isn't only used internally. I found 3 drivers that use it. But there are no uses internal to debugfs. I didn't write debugfs_create_str(), I only tried to use it and made an attempt to fix some problems. Given the limitations of the basic implementation of debugfs_create_str() and its file reading function (the lack of protection against the pointer changing) perhaps drop this chain? Don't bother fixing it, instead deprecate it for being unsafe? > thanks, > > greg k-h
On Tue, May 16, 2023 at 06:50:16PM +0100, Richard Fitzgerald wrote: > On 16/5/23 17:35, Greg KH wrote: > > On Tue, May 16, 2023 at 05:07:51PM +0100, Richard Fitzgerald wrote: > > > Add a warning to the debugfs_create_str() kerneldoc that the char * pointer > > > value must not change after the function returns, because of a race with > > > debugfs_read_file_str() accessing the pointer. > > > > > > The only safe case is a change from NULL to non-NULL because in that case > > > debugfs_read_file_str() will see either the NULL or the valid pointer. > > > > > > Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> > > > --- > > > fs/debugfs/file.c | 9 ++++++++- > > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > > > diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c > > > index 0c039a3d9a42..77794871f26d 100644 > > > --- a/fs/debugfs/file.c > > > +++ b/fs/debugfs/file.c > > > @@ -938,11 +938,18 @@ static const struct file_operations fops_str_wo = { > > > * directory dentry if set. If this parameter is %NULL, then the > > > * file will be created in the root of the debugfs filesystem. > > > * @value: a pointer to the variable that the file should read to and write > > > - * from. > > > + * from. The char* pointer must not change, except from NULL to > > > + * non-NULL. > > > > This feels odd. Why wouldn't you want to change the string value? Or > > why would you? > > Well, if you _would_ want to change the string value, then the > implementation of debugfs_create_str() is certainly broken and could > only be fixed by involving a shared mutex to protect use of the pointer. Agreed. So let's just say "never change the pointer" and leave it at that? > > And why is this one-way transition ok? > > > > This one case happens to be safe because it either sees NULL (which it > handles) or a valid pointer (which is ok). It will not result in using a > stale pointer. This wasn't a deliberate design intent but happens to be > safe, and easily maintainable behavior. > > A transition from valid->NULL or old->new isn't safe because the > read function could get the old pointer but racing with that is the > change to the pointer, and so the debugfs code could try to use a > stale pointer. > > > Given that this is only used internally, why is it exported? > > > > It isn't only used internally. I found 3 drivers that use it. > But there are no uses internal to debugfs. Oops, I missed the other users (arm_scmi and opp), so let's leave it. > I didn't write debugfs_create_str(), I only tried to use it and made > an attempt to fix some problems. > > Given the limitations of the basic implementation of > debugfs_create_str() and its file reading function (the lack of > protection against the pointer changing) perhaps drop this chain? Don't > bother fixing it, instead deprecate it for being unsafe? We don't "deprecate" things, that never works. We either fix them, or rip them out :) thanks, greg k-h
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 0c039a3d9a42..77794871f26d 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -938,11 +938,18 @@ static const struct file_operations fops_str_wo = { * directory dentry if set. If this parameter is %NULL, then the * file will be created in the root of the debugfs filesystem. * @value: a pointer to the variable that the file should read to and write - * from. + * from. The char* pointer must not change, except from NULL to + * non-NULL. * * This function creates a file in debugfs with the given name that * contains the value of the variable @value. If the @mode variable is so * set, it can be read from, and written to. + * + * The char* pointed to by @value must not change after calling this + * function EXCEPT that it may change from NULL to non-NULL. This is to + * prevent the file read from accessing a stale pointer. A change from + * NULL to non-NULL is the only safe change, because the read will + * instantaneously see either NULL or the valid pointer. */ void debugfs_create_str(const char *name, umode_t mode, struct dentry *parent, char **value)