From patchwork Fri Jun 19 16:50:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 1313196 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49pPxf044yzB4CT; Sat, 20 Jun 2020 02:52:53 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1jmKG0-0000JS-CZ; Fri, 19 Jun 2020 16:52:48 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKEj-0007bU-OZ for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:51:29 +0000 Received: from mail-il1-f197.google.com ([209.85.166.197]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jmKEi-0006Sq-ND for kernel-team@lists.ubuntu.com; Fri, 19 Jun 2020 16:51:28 +0000 Received: by mail-il1-f197.google.com with SMTP id o12so6897513ilf.6 for ; Fri, 19 Jun 2020 09:51:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GW8aNucHHFLoEUw3v2p4Pf8Cy1GhbghS0McjHxyj78c=; b=Xn0Oz+qfN4WDkCbZ9xVGxIk3/LOXBxy9ywE5yMCOPktVf6K4UvggLj1tDL5/0C+lps tLLtZMN6W4qYQGX3ZLaUXd/eNZLzZ3GJvygHk8kxcZVsmQGvR/e+UoxLmDPN1ye7eIcM Cku2YueWK+bfJzSCGK/NjP4yTwO/2SfKhZoDTJVcxRuSftHlQVx+4hH9b1s0A4sIB/qu 7tCSms5IakuL20EQ3pGoL8FfAFfAhK9t1ntisoByvYJCaITKGKw5Zjw2dr0mbl/RT5le KKhbOqNT49cV9EO7idiz6fQjGq2aOFYXMldVD67kdtQokho/PkW8e8K4I+d7HEcrxPoY +4nQ== X-Gm-Message-State: AOAM531sMaJsntzcTFK3UyDkAtFoAzSO71e/W9PVPmHYY9TJiFC6Vqiv sPXBKCKwC45OmNuzajsGLKou+ekSb4Jf0D503KpAj1MAir7CLBIYcy+sx9IP5yn73Iiuayb4W/D bPzLZWb/FU1khy2hVweEo4xRxHiMZ3rouxLLEpYvjNQ== X-Received: by 2002:a92:ca92:: with SMTP id t18mr4780035ilo.132.1592585487576; Fri, 19 Jun 2020 09:51:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyBK/s0I6JCKTTITXs8l5IXUUVbH3IA4NBBR44LyhUHb/lGDqzSx1fT/IYgW7TVt4lR6Coftg== X-Received: by 2002:a92:ca92:: with SMTP id t18mr4780015ilo.132.1592585487348; Fri, 19 Jun 2020 09:51:27 -0700 (PDT) Received: from localhost ([2605:a601:ac0f:820:f090:1573:c2fc:6389]) by smtp.gmail.com with ESMTPSA id k5sm3353579ili.80.2020.06.19.09.51.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Jun 2020 09:51:23 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH v2 55/57][X] debugfs: full_proxy_open(): free proxy on ->open() failure Date: Fri, 19 Jun 2020 11:50:08 -0500 Message-Id: <20200619165010.645925-56-seth.forshee@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619165010.645925-1-seth.forshee@canonical.com> References: <20200619165010.645925-1-seth.forshee@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Nicolai Stange BugLink: https://bugs.launchpad.net/bugs/1884159 Debugfs' full_proxy_open(), the ->open() installed at all inodes created through debugfs_create_file(), - grabs a reference to the original struct file_operations instance passed to debugfs_create_file(), - dynamically allocates a proxy struct file_operations instance wrapping the original - and installs this at the file's ->f_op. Afterwards, it calls the original ->open() and passes its return value back to the VFS layer. Now, if that return value indicates failure, the VFS layer won't ever call ->release() and thus, neither the reference to the original file_operations nor the memory for the proxy file_operations will get released, i.e. both are leaked. Upon failure of the original fops' ->open(), undo the proxy installation. That is: - Set the struct file ->f_op to what it had been when full_proxy_open() was entered. - Drop the reference to the original file_operations. - Free the memory holding the proxy file_operations. Fixes: 49d200deaa68 ("debugfs: prevent access to removed files' private data") Signed-off-by: Nicolai Stange Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b10e3e90485e32e4cea9e35d2295ee7bffaeff73) Signed-off-by: Seth Forshee --- fs/debugfs/file.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c index 9c1c9a01b7e5..d1ec80331414 100644 --- a/fs/debugfs/file.c +++ b/fs/debugfs/file.c @@ -262,8 +262,10 @@ static int full_proxy_open(struct inode *inode, struct file *filp) if (real_fops->open) { r = real_fops->open(inode, filp); - - if (filp->f_op != proxy_fops) { + if (r) { + replace_fops(filp, d_inode(dentry)->i_fop); + goto free_proxy; + } else if (filp->f_op != proxy_fops) { /* No protection against file removal anymore. */ WARN(1, "debugfs file owner replaced proxy fops: %pd", dentry);