From patchwork Fri Jun 19 16:16:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1313126 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pPBr4XgkzB47g; Sat, 20 Jun 2020 02:19:16 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmJjU-0004Tf-8s; Fri, 19 Jun 2020 16:19:12 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmJhw-0002yj-Dd for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:17:36 +0000 Received: from mail-io1-f71.google.com ([209.85.166.71]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmJht-0003l5-Vf for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:17:34 +0000 Received: by mail-io1-f71.google.com with SMTP id r19so851587iod.6 for ; Fri, 19 Jun 2020 09:17:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iXVclPAD8uNllTdfblB19QyRLXGDcDn+13nF6xefZYo=; b=RghKtAt1k+QJBhqGK90+a7YNDGDcfMAN2/eiKKXzLP6DMrfLV3hQHzh9/37rBZGzwl c7DaygRVSQKLjoACipZyl39p0od5GGJoQBiVqXovjUR1wdDvz9KGveuB32LOxDei3s1s H3IuoGlZKsP+nOZHhkEUvE62SJERFn4EWzzUW/iadwP2GUR+JdW+SpLI6M/tKRr06o93 IUVGyQQFnGLqf8TryJ4iRFM9eqPVbGvqp2U+MLfmwOQh5+isaBunXFy/ciXrMqSn4w8Y vMozstsuVVw1eQh4CFtvZm57A7uT97UIhWBBLRUv1MhoPvGFCYFj/RQpQ48kkbKZI/pX glRQ== X-Gm-Message-State: AOAM531ryCmA7zbtpeDLEQj46XrTTPuCGxXfKyalpNFj+rd/87xvoexR zOKaU62DNTGJJkdmN5bDL5Vs29YxtHsooyWapq/ixVv1suDrlDyWAOQLMwU1jnsDnRZ+T4SgNqW QmF8WmKQwpRJWhpc99f3Xobw9Fv+KjVcJr1FceZWQ2w== X-Received: by 2002:a02:ce38:: with SMTP id v24mr4555640jar.137.1592583452835; Fri, 19 Jun 2020 09:17:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyM5MyHuxqrc77Ti5O60nU3rqzGshmWdRGhdACH2Oa1xGKo2mXrFvIjaN1yMe3sDV/yL8VLvw== X-Received: by 2002:a02:ce38:: with SMTP id v24mr4555619jar.137.1592583452549; Fri, 19 Jun 2020 09:17:32 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id r19sm3645035ioj.12.2020.06.19.09.17.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 09:17:32 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH v2 56/57][B] debugfs: open_proxy_open(): avoid double fops release Date: Fri, 19 Jun 2020 11:16:20 -0500 Message-Id: <20200619161621.644540-57-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619161621.644540-1-seth.forshee@canonical.com> References: <20200619161621.644540-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Nicolai Stange BugLink: https://bugs.launchpad.net/bugs/1884159 Debugfs' open_proxy_open(), the ->open() installed at all inodes created through debugfs_create_file_unsafe(), - grabs a reference to the original file_operations instance passed to debugfs_create_file_unsafe() via fops_get(), - installs it at the file's ->f_op by means of replace_fops() - and calls fops_put() on it. Since the semantics of replace_fops() are such that the reference's ownership is transferred, the subsequent fops_put() will result in a double release when the file is eventually closed. Currently, this is not an issue since fops_put() basically does a module_put() on the file_operations' ->owner only and there don't exist any modules calling debugfs_create_file_unsafe() yet. This is expected to change in the future though, c.f. commit c64688081490 ("debugfs: add support for self-protecting attribute file fops"). Remove the call to fops_put() from open_proxy_open(). Fixes: 9fd4dcece43a ("debugfs: prevent access to possibly dead file_operations at file open") Signed-off-by: Nicolai Stange Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 75f0b68b75dabb3ff551440163fd67b3fc62901a) Signed-off-by: Seth Forshee --- fs/debugfs/file.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index d1ec80331414..592059f88e04 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -127,7 +127,6 @@ static int open_proxy_open(struct inode *inode, struct file *filp) r = real_fops->open(inode, filp); out: - fops_put(real_fops); debugfs_use_file_finish(srcu_idx); return r; }