On Sat, 2020-10-10 at 11:38 +0200, Greg KH wrote: > On Fri, Oct 09, 2020 at 10:48:09AM +0200, Johannes Berg wrote: > > On Fri, 2020-10-09 at 10:47 +0200, Greg KH wrote: > > > > > > I think adding the .owner everywhere would be good, and perhaps we can > > > > somehow put a check somewhere like > > > > > > > > WARN_ON(is_module_address((unsigned long)fops) && !fops->owner); > > > > > > > > to prevent the issue in the future? > > > > > > That will fail for all of the debugfs_create_* operations, as there is > > > only one set of file operations for all of the different files created > > > with these calls. > > > > Why would it fail? Those have their fops in the core debugfs code, which > > might have a .owner assigned but is probably built-in anyway? > > Bad choice of terms, it would "fail" in that this type of check would > never actually work because the debugfs code is built into the kernel, > and there is no module owner for it. But the value it is referencing is > an address in a module. Ahh. Yes and no. I mean, yes, the check wouldn't really work. But OTOH, this is exactly what the proxy_fops protects against. The _only_ thing that proxy_fops *doesn't* proxy is the ->release() method. If you have a debugfs file that's say debugfs_create_u32(), then the code is all built into the kernel, and - if ->release() even exists, I didn't check now - it would surely not dereference the pointer you gave to debugfs_create_u32(). So as long as the file is debugfs_remove()d before the pointer becomes invalid, there's no issue. The check I'm proposing (and actually wrote in my separate RFC patch that didn't seem quite as crazy) would basically protect the ->release() method only, if needed. Everything else is handled by proxy_fops. > > > Which, now that I remember it, is why we went down the proxy "solution" > > > in the first place :( > > > > Not sure I understand. That was related more to (arbitrary) files having > > to be disappeared rather than anything else? > > Isn't this the same issue? Well, not exactly? The difference is that proxy_fops basically protects the *value*, read/write/etc., but not ->release(). So it protects more against bus unbind or the like, where the *device* disappears, rather than the *code* disappearing. Now, you still need to be careful that ->release() doesn't actually access anything related to the device, of course. As long as we don't have a general revoke() at least. I guess in that sense this crazy patch actually makes things *better* than the RFC patch because it *does* call the ->release() during debugfs_remove() and therefore allows even ->release() to access data of the device or other data structures that are being removed; whereas the RFC patch I also sent doesn't protect that, it just protects the code itself. johannes
