2017-11-07 15:59:23 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
2011-07-16 08:45:13 +00:00
|
|
|
* inode.c - part of debugfs, a tiny little debug file system
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
2019-07-03 07:16:53 +00:00
|
|
|
* Copyright (C) 2004,2019 Greg Kroah-Hartman <greg@kroah.com>
|
2005-04-16 22:20:36 +00:00
|
|
|
* Copyright (C) 2004 IBM Inc.
|
2019-07-03 07:16:53 +00:00
|
|
|
* Copyright (C) 2019 Linux Foundation <gregkh@linuxfoundation.org>
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
|
|
|
|
* debugfs is for people to use instead of /proc or /sys.
|
2017-05-14 15:09:53 +00:00
|
|
|
* See ./Documentation/core-api/kernel-api.rst for more details.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
|
|
|
|
|
2019-07-03 07:16:52 +00:00
|
|
|
#define pr_fmt(fmt) "debugfs: " fmt
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
|
#include <linux/mount.h>
|
|
|
|
|
#include <linux/pagemap.h>
|
|
|
|
|
#include <linux/init.h>
|
2006-11-25 19:09:26 +00:00
|
|
|
#include <linux/kobject.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/namei.h>
|
|
|
|
|
#include <linux/debugfs.h>
|
2006-11-24 18:45:37 +00:00
|
|
|
#include <linux/fsnotify.h>
|
2007-02-13 11:13:54 +00:00
|
|
|
#include <linux/string.h>
|
2012-01-25 10:52:28 +00:00
|
|
|
#include <linux/seq_file.h>
|
|
|
|
|
#include <linux/parser.h>
|
2008-10-07 18:00:12 +00:00
|
|
|
#include <linux/magic.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2019-08-20 00:18:02 +00:00
|
|
|
#include <linux/security.h>
|
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:13 +00:00
|
|
|
|
|
|
|
|
#include "internal.h"
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-08-27 20:32:15 +00:00
|
|
|
#define DEBUGFS_DEFAULT_MODE 0700
|
2012-01-25 10:52:28 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static struct vfsmount *debugfs_mount;
|
|
|
|
|
static int debugfs_mount_count;
|
2009-03-22 22:10:44 +00:00
|
|
|
static bool debugfs_registered;
|
2021-04-05 21:39:59 +00:00
|
|
|
static unsigned int debugfs_allow __ro_after_init = DEFAULT_DEBUGFS_ALLOW_BITS;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2019-08-20 00:18:02 +00:00
|
|
|
/*
|
|
|
|
|
* Don't allow access attributes to be changed whilst the kernel is locked down
|
|
|
|
|
* so that we can use the file mode as part of a heuristic to determine whether
|
|
|
|
|
* to lock down individual files.
|
|
|
|
|
*/
|
2023-01-13 11:49:11 +00:00
|
|
|
static int debugfs_setattr(struct mnt_idmap *idmap,
|
2021-01-21 13:19:43 +00:00
|
|
|
struct dentry *dentry, struct iattr *ia)
|
2019-08-20 00:18:02 +00:00
|
|
|
{
|
2021-05-07 12:53:04 +00:00
|
|
|
int ret;
|
2019-08-20 00:18:02 +00:00
|
|
|
|
2021-05-07 12:53:04 +00:00
|
|
|
if (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) {
|
|
|
|
|
ret = security_locked_down(LOCKDOWN_DEBUGFS);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2023-01-13 11:49:11 +00:00
|
|
|
return simple_setattr(&nop_mnt_idmap, dentry, ia);
|
2019-08-20 00:18:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct inode_operations debugfs_file_inode_operations = {
|
|
|
|
|
.setattr = debugfs_setattr,
|
|
|
|
|
};
|
|
|
|
|
static const struct inode_operations debugfs_dir_inode_operations = {
|
|
|
|
|
.lookup = simple_lookup,
|
|
|
|
|
.setattr = debugfs_setattr,
|
|
|
|
|
};
|
|
|
|
|
static const struct inode_operations debugfs_symlink_inode_operations = {
|
|
|
|
|
.get_link = simple_get_link,
|
|
|
|
|
.setattr = debugfs_setattr,
|
|
|
|
|
};
|
|
|
|
|
|
2015-01-25 19:36:18 +00:00
|
|
|
static struct inode *debugfs_get_inode(struct super_block *sb)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct inode *inode = new_inode(sb);
|
|
|
|
|
if (inode) {
|
2010-10-23 15:19:54 +00:00
|
|
|
inode->i_ino = get_next_ino();
|
2023-10-04 18:52:13 +00:00
|
|
|
simple_inode_init_ts(inode);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2014-06-06 17:42:04 +00:00
|
|
|
return inode;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2012-01-25 10:52:28 +00:00
|
|
|
struct debugfs_mount_opts {
|
2012-04-03 21:01:31 +00:00
|
|
|
kuid_t uid;
|
|
|
|
|
kgid_t gid;
|
2012-01-25 10:52:28 +00:00
|
|
|
umode_t mode;
|
2022-09-12 23:31:42 +00:00
|
|
|
/* Opt_* bitfield. */
|
|
|
|
|
unsigned int opts;
|
2012-01-25 10:52:28 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enum {
|
|
|
|
|
Opt_uid,
|
|
|
|
|
Opt_gid,
|
|
|
|
|
Opt_mode,
|
|
|
|
|
Opt_err
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const match_table_t tokens = {
|
|
|
|
|
{Opt_uid, "uid=%u"},
|
|
|
|
|
{Opt_gid, "gid=%u"},
|
|
|
|
|
{Opt_mode, "mode=%o"},
|
|
|
|
|
{Opt_err, NULL}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct debugfs_fs_info {
|
|
|
|
|
struct debugfs_mount_opts mount_opts;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int debugfs_parse_options(char *data, struct debugfs_mount_opts *opts)
|
|
|
|
|
{
|
|
|
|
|
substring_t args[MAX_OPT_ARGS];
|
|
|
|
|
int option;
|
|
|
|
|
int token;
|
2012-04-03 21:01:31 +00:00
|
|
|
kuid_t uid;
|
|
|
|
|
kgid_t gid;
|
2012-01-25 10:52:28 +00:00
|
|
|
char *p;
|
|
|
|
|
|
2022-09-12 23:31:42 +00:00
|
|
|
opts->opts = 0;
|
2012-01-25 10:52:28 +00:00
|
|
|
opts->mode = DEBUGFS_DEFAULT_MODE;
|
|
|
|
|
|
|
|
|
|
while ((p = strsep(&data, ",")) != NULL) {
|
|
|
|
|
if (!*p)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
token = match_token(p, tokens, args);
|
|
|
|
|
switch (token) {
|
|
|
|
|
case Opt_uid:
|
|
|
|
|
if (match_int(&args[0], &option))
|
|
|
|
|
return -EINVAL;
|
2012-04-03 21:01:31 +00:00
|
|
|
uid = make_kuid(current_user_ns(), option);
|
|
|
|
|
if (!uid_valid(uid))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
opts->uid = uid;
|
2012-01-25 10:52:28 +00:00
|
|
|
break;
|
|
|
|
|
case Opt_gid:
|
2013-01-02 13:54:37 +00:00
|
|
|
if (match_int(&args[0], &option))
|
2012-01-25 10:52:28 +00:00
|
|
|
return -EINVAL;
|
2012-04-03 21:01:31 +00:00
|
|
|
gid = make_kgid(current_user_ns(), option);
|
|
|
|
|
if (!gid_valid(gid))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
opts->gid = gid;
|
2012-01-25 10:52:28 +00:00
|
|
|
break;
|
|
|
|
|
case Opt_mode:
|
|
|
|
|
if (match_octal(&args[0], &option))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
opts->mode = option & S_IALLUGO;
|
|
|
|
|
break;
|
|
|
|
|
/*
|
|
|
|
|
* We might like to report bad mount options here;
|
|
|
|
|
* but traditionally debugfs has ignored all mount options
|
|
|
|
|
*/
|
|
|
|
|
}
|
2022-09-12 23:31:42 +00:00
|
|
|
|
|
|
|
|
opts->opts |= BIT(token);
|
2012-01-25 10:52:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-12 23:31:42 +00:00
|
|
|
static void _debugfs_apply_options(struct super_block *sb, bool remount)
|
2012-01-25 10:52:28 +00:00
|
|
|
{
|
|
|
|
|
struct debugfs_fs_info *fsi = sb->s_fs_info;
|
2015-03-17 22:25:59 +00:00
|
|
|
struct inode *inode = d_inode(sb->s_root);
|
2012-01-25 10:52:28 +00:00
|
|
|
struct debugfs_mount_opts *opts = &fsi->mount_opts;
|
|
|
|
|
|
2022-09-12 23:31:42 +00:00
|
|
|
/*
|
|
|
|
|
* On remount, only reset mode/uid/gid if they were provided as mount
|
|
|
|
|
* options.
|
|
|
|
|
*/
|
2012-01-25 10:52:28 +00:00
|
|
|
|
2022-09-12 23:31:42 +00:00
|
|
|
if (!remount || opts->opts & BIT(Opt_mode)) {
|
|
|
|
|
inode->i_mode &= ~S_IALLUGO;
|
|
|
|
|
inode->i_mode |= opts->mode;
|
|
|
|
|
}
|
2012-01-25 10:52:28 +00:00
|
|
|
|
2022-09-12 23:31:42 +00:00
|
|
|
if (!remount || opts->opts & BIT(Opt_uid))
|
|
|
|
|
inode->i_uid = opts->uid;
|
|
|
|
|
|
|
|
|
|
if (!remount || opts->opts & BIT(Opt_gid))
|
|
|
|
|
inode->i_gid = opts->gid;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void debugfs_apply_options(struct super_block *sb)
|
|
|
|
|
{
|
|
|
|
|
_debugfs_apply_options(sb, false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void debugfs_apply_options_remount(struct super_block *sb)
|
|
|
|
|
{
|
|
|
|
|
_debugfs_apply_options(sb, true);
|
2012-01-25 10:52:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int debugfs_remount(struct super_block *sb, int *flags, char *data)
|
|
|
|
|
{
|
|
|
|
|
int err;
|
|
|
|
|
struct debugfs_fs_info *fsi = sb->s_fs_info;
|
|
|
|
|
|
2014-03-13 14:14:33 +00:00
|
|
|
sync_filesystem(sb);
|
2012-01-25 10:52:28 +00:00
|
|
|
err = debugfs_parse_options(data, &fsi->mount_opts);
|
|
|
|
|
if (err)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
2022-09-12 23:31:42 +00:00
|
|
|
debugfs_apply_options_remount(sb);
|
2012-01-25 10:52:28 +00:00
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int debugfs_show_options(struct seq_file *m, struct dentry *root)
|
|
|
|
|
{
|
|
|
|
|
struct debugfs_fs_info *fsi = root->d_sb->s_fs_info;
|
|
|
|
|
struct debugfs_mount_opts *opts = &fsi->mount_opts;
|
|
|
|
|
|
2012-04-03 21:01:31 +00:00
|
|
|
if (!uid_eq(opts->uid, GLOBAL_ROOT_UID))
|
|
|
|
|
seq_printf(m, ",uid=%u",
|
|
|
|
|
from_kuid_munged(&init_user_ns, opts->uid));
|
|
|
|
|
if (!gid_eq(opts->gid, GLOBAL_ROOT_GID))
|
|
|
|
|
seq_printf(m, ",gid=%u",
|
|
|
|
|
from_kgid_munged(&init_user_ns, opts->gid));
|
2012-01-25 10:52:28 +00:00
|
|
|
if (opts->mode != DEBUGFS_DEFAULT_MODE)
|
|
|
|
|
seq_printf(m, ",mode=%o", opts->mode);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-15 03:19:45 +00:00
|
|
|
static void debugfs_free_inode(struct inode *inode)
|
2015-02-22 03:05:11 +00:00
|
|
|
{
|
|
|
|
|
if (S_ISLNK(inode->i_mode))
|
2015-05-02 14:27:18 +00:00
|
|
|
kfree(inode->i_link);
|
2019-03-26 01:43:37 +00:00
|
|
|
free_inode_nonrcu(inode);
|
|
|
|
|
}
|
|
|
|
|
|
2012-01-25 10:52:28 +00:00
|
|
|
static const struct super_operations debugfs_super_operations = {
|
|
|
|
|
.statfs = simple_statfs,
|
|
|
|
|
.remount_fs = debugfs_remount,
|
|
|
|
|
.show_options = debugfs_show_options,
|
2019-04-15 03:19:45 +00:00
|
|
|
.free_inode = debugfs_free_inode,
|
2012-01-25 10:52:28 +00:00
|
|
|
};
|
|
|
|
|
|
2017-10-30 23:15:47 +00:00
|
|
|
static void debugfs_release_dentry(struct dentry *dentry)
|
|
|
|
|
{
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
struct debugfs_fsdata *fsd = dentry->d_fsdata;
|
debugfs: defer debugfs_fsdata allocation to first usage
Currently, __debugfs_create_file allocates one struct debugfs_fsdata
instance for every file created. However, there are potentially many
debugfs file around, most of which are never touched by userspace.
Thus, defer the allocations to the first usage, i.e. to the first
debugfs_file_get().
A dentry's ->d_fsdata starts out to point to the "real", user provided
fops. After a debugfs_fsdata instance has been allocated (and the real
fops pointer has been moved over into its ->real_fops member),
->d_fsdata is changed to point to it from then on. The two cases are
distinguished by setting BIT(0) for the real fops case.
struct debugfs_fsdata's foremost purpose is to track active users and to
make debugfs_remove() block until they are done. Since no debugfs_fsdata
instance means no active users, make debugfs_remove() return immediately
in this case.
Take care of possible races between debugfs_file_get() and
debugfs_remove(): either debugfs_remove() must see a debugfs_fsdata
instance and thus wait for possible active users or debugfs_file_get() must
see a dead dentry and return immediately.
Make a dentry's ->d_release(), i.e. debugfs_release_dentry(), check whether
->d_fsdata is actually a debugfs_fsdata instance before kfree()ing it.
Similarly, make debugfs_real_fops() check whether ->d_fsdata is actually
a debugfs_fsdata instance before returning it, otherwise emit a warning.
The set of possible error codes returned from debugfs_file_get() has grown
from -EIO to -EIO and -ENOMEM. Make open_proxy_open() and full_proxy_open()
pass the -ENOMEM onwards to their callers.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-30 23:15:54 +00:00
|
|
|
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
if ((unsigned long)fsd & DEBUGFS_FSDATA_IS_REAL_FOPS_BIT)
|
|
|
|
|
return;
|
|
|
|
|
|
2023-11-24 16:25:25 +00:00
|
|
|
/* check it wasn't a dir (no fsdata) or automount (no real_fops) */
|
|
|
|
|
if (fsd && fsd->real_fops) {
|
2023-11-24 16:25:26 +00:00
|
|
|
WARN_ON(!list_empty(&fsd->cancellations));
|
|
|
|
|
mutex_destroy(&fsd->cancellations_mtx);
|
2023-11-24 16:25:25 +00:00
|
|
|
}
|
|
|
|
|
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
kfree(fsd);
|
2017-10-30 23:15:47 +00:00
|
|
|
}
|
|
|
|
|
|
2015-01-25 20:10:32 +00:00
|
|
|
static struct vfsmount *debugfs_automount(struct path *path)
|
|
|
|
|
{
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
struct debugfs_fsdata *fsd = path->dentry->d_fsdata;
|
|
|
|
|
|
|
|
|
|
return fsd->automount(path->dentry, d_inode(path->dentry)->i_private);
|
2015-01-25 20:10:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct dentry_operations debugfs_dops = {
|
|
|
|
|
.d_delete = always_delete_dentry,
|
2017-10-30 23:15:47 +00:00
|
|
|
.d_release = debugfs_release_dentry,
|
2015-01-25 20:10:32 +00:00
|
|
|
.d_automount = debugfs_automount,
|
|
|
|
|
};
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static int debug_fill_super(struct super_block *sb, void *data, int silent)
|
|
|
|
|
{
|
2017-03-26 04:15:37 +00:00
|
|
|
static const struct tree_descr debug_files[] = {{""}};
|
2012-01-25 10:52:28 +00:00
|
|
|
struct debugfs_fs_info *fsi;
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
fsi = kzalloc(sizeof(struct debugfs_fs_info), GFP_KERNEL);
|
|
|
|
|
sb->s_fs_info = fsi;
|
|
|
|
|
if (!fsi) {
|
|
|
|
|
err = -ENOMEM;
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = debugfs_parse_options(data, &fsi->mount_opts);
|
|
|
|
|
if (err)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
err = simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
|
|
|
|
|
if (err)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
sb->s_op = &debugfs_super_operations;
|
2015-01-25 20:10:32 +00:00
|
|
|
sb->s_d_op = &debugfs_dops;
|
2012-01-25 10:52:28 +00:00
|
|
|
|
|
|
|
|
debugfs_apply_options(sb);
|
|
|
|
|
|
|
|
|
|
return 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-01-25 10:52:28 +00:00
|
|
|
fail:
|
|
|
|
|
kfree(fsi);
|
|
|
|
|
sb->s_fs_info = NULL;
|
|
|
|
|
return err;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2010-07-24 21:48:30 +00:00
|
|
|
static struct dentry *debug_mount(struct file_system_type *fs_type,
|
[PATCH] VFS: Permit filesystem to override root dentry on mount
Extend the get_sb() filesystem operation to take an extra argument that
permits the VFS to pass in the target vfsmount that defines the mountpoint.
The filesystem is then required to manually set the superblock and root dentry
pointers. For most filesystems, this should be done with simple_set_mnt()
which will set the superblock pointer and then set the root dentry to the
superblock's s_root (as per the old default behaviour).
The get_sb() op now returns an integer as there's now no need to return the
superblock pointer.
This patch permits a superblock to be implicitly shared amongst several mount
points, such as can be done with NFS to avoid potential inode aliasing. In
such a case, simple_set_mnt() would not be called, and instead the mnt_root
and mnt_sb would be set directly.
The patch also makes the following changes:
(*) the get_sb_*() convenience functions in the core kernel now take a vfsmount
pointer argument and return an integer, so most filesystems have to change
very little.
(*) If one of the convenience function is not used, then get_sb() should
normally call simple_set_mnt() to instantiate the vfsmount. This will
always return 0, and so can be tail-called from get_sb().
(*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the
dcache upon superblock destruction rather than shrink_dcache_anon().
This is required because the superblock may now have multiple trees that
aren't actually bound to s_root, but that still need to be cleaned up. The
currently called functions assume that the whole tree is rooted at s_root,
and that anonymous dentries are not the roots of trees which results in
dentries being left unculled.
However, with the way NFS superblock sharing are currently set to be
implemented, these assumptions are violated: the root of the filesystem is
simply a dummy dentry and inode (the real inode for '/' may well be
inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries
with child trees.
[*] Anonymous until discovered from another tree.
(*) The documentation has been adjusted, including the additional bit of
changing ext2_* into foo_* in the documentation.
[akpm@osdl.org: convert ipath_fs, do other stuff]
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Nathan Scott <nathans@sgi.com>
Cc: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-23 09:02:57 +00:00
|
|
|
int flags, const char *dev_name,
|
2010-07-24 21:48:30 +00:00
|
|
|
void *data)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2020-07-16 07:15:11 +00:00
|
|
|
if (!(debugfs_allow & DEBUGFS_ALLOW_API))
|
|
|
|
|
return ERR_PTR(-EPERM);
|
|
|
|
|
|
2010-07-24 21:48:30 +00:00
|
|
|
return mount_single(fs_type, flags, data, debug_fill_super);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct file_system_type debug_fs_type = {
|
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
|
.name = "debugfs",
|
2010-07-24 21:48:30 +00:00
|
|
|
.mount = debug_mount,
|
2005-04-16 22:20:36 +00:00
|
|
|
.kill_sb = kill_litter_super,
|
|
|
|
|
};
|
2013-03-03 03:39:14 +00:00
|
|
|
MODULE_ALIAS_FS("debugfs");
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-01-31 22:53:17 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_lookup() - look up an existing debugfs file
|
|
|
|
|
* @name: a pointer to a string containing the name of the file to look up.
|
|
|
|
|
* @parent: a pointer to the parent dentry of the file.
|
|
|
|
|
*
|
|
|
|
|
* This function will return a pointer to a dentry if it succeeds. If the file
|
|
|
|
|
* doesn't exist or an error occurs, %NULL will be returned. The returned
|
|
|
|
|
* dentry must be passed to dput() when it is no longer needed.
|
|
|
|
|
*
|
|
|
|
|
* If debugfs is not enabled in the kernel, the value -%ENODEV will be
|
|
|
|
|
* returned.
|
|
|
|
|
*/
|
|
|
|
|
struct dentry *debugfs_lookup(const char *name, struct dentry *parent)
|
|
|
|
|
{
|
|
|
|
|
struct dentry *dentry;
|
|
|
|
|
|
2021-02-18 10:08:17 +00:00
|
|
|
if (!debugfs_initialized() || IS_ERR_OR_NULL(name) || IS_ERR(parent))
|
2017-01-31 22:53:17 +00:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (!parent)
|
|
|
|
|
parent = debugfs_mount->mnt_root;
|
|
|
|
|
|
2019-10-31 05:21:58 +00:00
|
|
|
dentry = lookup_positive_unlocked(name, parent, strlen(name));
|
2017-01-31 22:53:17 +00:00
|
|
|
if (IS_ERR(dentry))
|
|
|
|
|
return NULL;
|
|
|
|
|
return dentry;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_lookup);
|
|
|
|
|
|
2015-01-25 18:55:55 +00:00
|
|
|
static struct dentry *start_creating(const char *name, struct dentry *parent)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2015-01-25 18:55:55 +00:00
|
|
|
struct dentry *dentry;
|
2012-06-10 00:33:28 +00:00
|
|
|
int error;
|
|
|
|
|
|
2020-07-16 07:15:11 +00:00
|
|
|
if (!(debugfs_allow & DEBUGFS_ALLOW_API))
|
|
|
|
|
return ERR_PTR(-EPERM);
|
|
|
|
|
|
2021-02-18 10:08:18 +00:00
|
|
|
if (!debugfs_initialized())
|
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
|
|
2019-07-03 07:16:52 +00:00
|
|
|
pr_debug("creating file '%s'\n", name);
|
2012-06-10 00:33:28 +00:00
|
|
|
|
2015-03-30 12:59:15 +00:00
|
|
|
if (IS_ERR(parent))
|
|
|
|
|
return parent;
|
|
|
|
|
|
2012-06-10 00:33:28 +00:00
|
|
|
error = simple_pin_fs(&debug_fs_type, &debugfs_mount,
|
|
|
|
|
&debugfs_mount_count);
|
2019-07-03 07:16:53 +00:00
|
|
|
if (error) {
|
|
|
|
|
pr_err("Unable to pin filesystem for file '%s'\n", name);
|
2015-01-25 18:55:55 +00:00
|
|
|
return ERR_PTR(error);
|
2019-07-03 07:16:53 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
/* If the parent is not specified, we create it in the root.
|
2014-06-06 17:42:04 +00:00
|
|
|
* We need the root dentry to do this, which is in the super
|
2005-04-16 22:20:36 +00:00
|
|
|
* block. A pointer to that is in the struct vfsmount that we
|
|
|
|
|
* have around.
|
|
|
|
|
*/
|
2010-01-25 09:50:43 +00:00
|
|
|
if (!parent)
|
2011-12-07 23:21:57 +00:00
|
|
|
parent = debugfs_mount->mnt_root;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2016-01-22 20:40:57 +00:00
|
|
|
inode_lock(d_inode(parent));
|
2019-11-18 14:43:10 +00:00
|
|
|
if (unlikely(IS_DEADDIR(d_inode(parent))))
|
|
|
|
|
dentry = ERR_PTR(-ENOENT);
|
|
|
|
|
else
|
|
|
|
|
dentry = lookup_one_len(name, parent, strlen(name));
|
2015-03-17 22:25:59 +00:00
|
|
|
if (!IS_ERR(dentry) && d_really_is_positive(dentry)) {
|
2019-07-06 15:42:56 +00:00
|
|
|
if (d_is_dir(dentry))
|
|
|
|
|
pr_err("Directory '%s' with parent '%s' already present!\n",
|
|
|
|
|
name, parent->d_name.name);
|
|
|
|
|
else
|
|
|
|
|
pr_err("File '%s' in directory '%s' already present!\n",
|
|
|
|
|
name, parent->d_name.name);
|
2012-06-10 00:33:28 +00:00
|
|
|
dput(dentry);
|
2015-01-25 18:55:55 +00:00
|
|
|
dentry = ERR_PTR(-EEXIST);
|
|
|
|
|
}
|
2015-11-04 23:01:51 +00:00
|
|
|
|
|
|
|
|
if (IS_ERR(dentry)) {
|
2016-01-22 20:40:57 +00:00
|
|
|
inode_unlock(d_inode(parent));
|
2015-11-04 23:01:51 +00:00
|
|
|
simple_release_fs(&debugfs_mount, &debugfs_mount_count);
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-25 18:55:55 +00:00
|
|
|
return dentry;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-25 19:39:49 +00:00
|
|
|
static struct dentry *failed_creating(struct dentry *dentry)
|
2015-01-25 18:55:55 +00:00
|
|
|
{
|
2016-01-22 20:40:57 +00:00
|
|
|
inode_unlock(d_inode(dentry->d_parent));
|
2015-01-25 18:55:55 +00:00
|
|
|
dput(dentry);
|
2015-01-25 19:39:49 +00:00
|
|
|
simple_release_fs(&debugfs_mount, &debugfs_mount_count);
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2015-01-25 19:39:49 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2015-01-25 19:39:49 +00:00
|
|
|
static struct dentry *end_creating(struct dentry *dentry)
|
|
|
|
|
{
|
2016-01-22 20:40:57 +00:00
|
|
|
inode_unlock(d_inode(dentry->d_parent));
|
2012-06-10 00:28:22 +00:00
|
|
|
return dentry;
|
|
|
|
|
}
|
|
|
|
|
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
|
|
|
|
|
struct dentry *parent, void *data,
|
|
|
|
|
const struct file_operations *proxy_fops,
|
|
|
|
|
const struct file_operations *real_fops)
|
|
|
|
|
{
|
|
|
|
|
struct dentry *dentry;
|
|
|
|
|
struct inode *inode;
|
|
|
|
|
|
|
|
|
|
if (!(mode & S_IFMT))
|
|
|
|
|
mode |= S_IFREG;
|
|
|
|
|
BUG_ON(!S_ISREG(mode));
|
|
|
|
|
dentry = start_creating(name, parent);
|
|
|
|
|
|
debugfs: defer debugfs_fsdata allocation to first usage
Currently, __debugfs_create_file allocates one struct debugfs_fsdata
instance for every file created. However, there are potentially many
debugfs file around, most of which are never touched by userspace.
Thus, defer the allocations to the first usage, i.e. to the first
debugfs_file_get().
A dentry's ->d_fsdata starts out to point to the "real", user provided
fops. After a debugfs_fsdata instance has been allocated (and the real
fops pointer has been moved over into its ->real_fops member),
->d_fsdata is changed to point to it from then on. The two cases are
distinguished by setting BIT(0) for the real fops case.
struct debugfs_fsdata's foremost purpose is to track active users and to
make debugfs_remove() block until they are done. Since no debugfs_fsdata
instance means no active users, make debugfs_remove() return immediately
in this case.
Take care of possible races between debugfs_file_get() and
debugfs_remove(): either debugfs_remove() must see a debugfs_fsdata
instance and thus wait for possible active users or debugfs_file_get() must
see a dead dentry and return immediately.
Make a dentry's ->d_release(), i.e. debugfs_release_dentry(), check whether
->d_fsdata is actually a debugfs_fsdata instance before kfree()ing it.
Similarly, make debugfs_real_fops() check whether ->d_fsdata is actually
a debugfs_fsdata instance before returning it, otherwise emit a warning.
The set of possible error codes returned from debugfs_file_get() has grown
from -EIO to -EIO and -ENOMEM. Make open_proxy_open() and full_proxy_open()
pass the -ENOMEM onwards to their callers.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-30 23:15:54 +00:00
|
|
|
if (IS_ERR(dentry))
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
return dentry;
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
|
2020-07-16 07:15:11 +00:00
|
|
|
if (!(debugfs_allow & DEBUGFS_ALLOW_API)) {
|
|
|
|
|
failed_creating(dentry);
|
|
|
|
|
return ERR_PTR(-EPERM);
|
|
|
|
|
}
|
|
|
|
|
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
inode = debugfs_get_inode(dentry->d_sb);
|
2019-07-03 07:16:53 +00:00
|
|
|
if (unlikely(!inode)) {
|
|
|
|
|
pr_err("out of free dentries, can not create file '%s'\n",
|
|
|
|
|
name);
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
return failed_creating(dentry);
|
2019-07-03 07:16:53 +00:00
|
|
|
}
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
|
|
|
|
|
inode->i_mode = mode;
|
|
|
|
|
inode->i_private = data;
|
|
|
|
|
|
2019-08-20 00:18:02 +00:00
|
|
|
inode->i_op = &debugfs_file_inode_operations;
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
inode->i_fop = proxy_fops;
|
debugfs: defer debugfs_fsdata allocation to first usage
Currently, __debugfs_create_file allocates one struct debugfs_fsdata
instance for every file created. However, there are potentially many
debugfs file around, most of which are never touched by userspace.
Thus, defer the allocations to the first usage, i.e. to the first
debugfs_file_get().
A dentry's ->d_fsdata starts out to point to the "real", user provided
fops. After a debugfs_fsdata instance has been allocated (and the real
fops pointer has been moved over into its ->real_fops member),
->d_fsdata is changed to point to it from then on. The two cases are
distinguished by setting BIT(0) for the real fops case.
struct debugfs_fsdata's foremost purpose is to track active users and to
make debugfs_remove() block until they are done. Since no debugfs_fsdata
instance means no active users, make debugfs_remove() return immediately
in this case.
Take care of possible races between debugfs_file_get() and
debugfs_remove(): either debugfs_remove() must see a debugfs_fsdata
instance and thus wait for possible active users or debugfs_file_get() must
see a dead dentry and return immediately.
Make a dentry's ->d_release(), i.e. debugfs_release_dentry(), check whether
->d_fsdata is actually a debugfs_fsdata instance before kfree()ing it.
Similarly, make debugfs_real_fops() check whether ->d_fsdata is actually
a debugfs_fsdata instance before returning it, otherwise emit a warning.
The set of possible error codes returned from debugfs_file_get() has grown
from -EIO to -EIO and -ENOMEM. Make open_proxy_open() and full_proxy_open()
pass the -ENOMEM onwards to their callers.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-30 23:15:54 +00:00
|
|
|
dentry->d_fsdata = (void *)((unsigned long)real_fops |
|
|
|
|
|
DEBUGFS_FSDATA_IS_REAL_FOPS_BIT);
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
|
|
|
|
|
d_instantiate(dentry, inode);
|
|
|
|
|
fsnotify_create(d_inode(dentry->d_parent), dentry);
|
|
|
|
|
return end_creating(dentry);
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_create_file - create a file in the debugfs filesystem
|
|
|
|
|
* @name: a pointer to a string containing the name of the file to create.
|
2009-10-31 21:26:52 +00:00
|
|
|
* @mode: the permission that the file should have.
|
2005-04-16 22:20:36 +00:00
|
|
|
* @parent: a pointer to the parent dentry for this file. This should be a
|
2014-02-18 13:54:36 +00:00
|
|
|
* directory dentry if set. If this parameter is NULL, then the
|
2005-04-16 22:20:36 +00:00
|
|
|
* file will be created in the root of the debugfs filesystem.
|
|
|
|
|
* @data: a pointer to something that the caller will want to get to later
|
2006-09-27 08:50:46 +00:00
|
|
|
* on. The inode.i_private pointer will point to this value on
|
2005-04-16 22:20:36 +00:00
|
|
|
* the open() call.
|
|
|
|
|
* @fops: a pointer to a struct file_operations that should be used for
|
|
|
|
|
* this file.
|
|
|
|
|
*
|
|
|
|
|
* This is the basic "create a file" function for debugfs. It allows for a
|
2009-10-31 21:26:52 +00:00
|
|
|
* wide range of flexibility in creating a file, or a directory (if you want
|
|
|
|
|
* to create a directory, the debugfs_create_dir() function is
|
2005-04-16 22:20:36 +00:00
|
|
|
* recommended to be used instead.)
|
|
|
|
|
*
|
|
|
|
|
* This function will return a pointer to a dentry if it succeeds. This
|
|
|
|
|
* pointer must be passed to the debugfs_remove() function when the file is
|
|
|
|
|
* to be removed (no automatic cleanup happens if your module is unloaded,
|
2019-12-27 01:00:33 +00:00
|
|
|
* you are responsible here.) If an error occurs, ERR_PTR(-ERROR) will be
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
* returned.
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
2006-07-20 15:16:42 +00:00
|
|
|
* If debugfs is not enabled in the kernel, the value -%ENODEV will be
|
2007-02-14 06:57:47 +00:00
|
|
|
* returned.
|
2022-02-22 23:46:00 +00:00
|
|
|
*
|
|
|
|
|
* NOTE: it's expected that most callers should _ignore_ the errors returned
|
|
|
|
|
* by this function. Other debugfs functions handle the fact that the "dentry"
|
|
|
|
|
* passed to them could be an error and they don't crash in that case.
|
|
|
|
|
* Drivers should generally work fine even if debugfs fails to init anyway.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2011-07-24 08:33:43 +00:00
|
|
|
struct dentry *debugfs_create_file(const char *name, umode_t mode,
|
2005-04-16 22:20:36 +00:00
|
|
|
struct dentry *parent, void *data,
|
2006-03-28 09:56:41 +00:00
|
|
|
const struct file_operations *fops)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2015-01-25 19:31:32 +00:00
|
|
|
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
return __debugfs_create_file(name, mode, parent, data,
|
|
|
|
|
fops ? &debugfs_full_proxy_file_operations :
|
|
|
|
|
&debugfs_noop_file_operations,
|
|
|
|
|
fops);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_create_file);
|
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:13 +00:00
|
|
|
|
2016-03-22 13:11:15 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_create_file_unsafe - create a file in the debugfs filesystem
|
|
|
|
|
* @name: a pointer to a string containing the name of the file to create.
|
|
|
|
|
* @mode: the permission that the file should have.
|
|
|
|
|
* @parent: a pointer to the parent dentry for this file. This should be a
|
|
|
|
|
* directory dentry if set. If this parameter is NULL, then the
|
|
|
|
|
* file will be created in the root of the debugfs filesystem.
|
|
|
|
|
* @data: a pointer to something that the caller will want to get to later
|
|
|
|
|
* on. The inode.i_private pointer will point to this value on
|
|
|
|
|
* the open() call.
|
|
|
|
|
* @fops: a pointer to a struct file_operations that should be used for
|
|
|
|
|
* this file.
|
|
|
|
|
*
|
|
|
|
|
* debugfs_create_file_unsafe() is completely analogous to
|
|
|
|
|
* debugfs_create_file(), the only difference being that the fops
|
|
|
|
|
* handed it will not get protected against file removals by the
|
|
|
|
|
* debugfs core.
|
|
|
|
|
*
|
|
|
|
|
* It is your responsibility to protect your struct file_operation
|
2018-12-30 03:46:52 +00:00
|
|
|
* methods against file removals by means of debugfs_file_get()
|
|
|
|
|
* and debugfs_file_put(). ->open() is still protected by
|
2016-03-22 13:11:15 +00:00
|
|
|
* debugfs though.
|
|
|
|
|
*
|
|
|
|
|
* Any struct file_operations defined by means of
|
|
|
|
|
* DEFINE_DEBUGFS_ATTRIBUTE() is protected against file removals and
|
|
|
|
|
* thus, may be used here.
|
|
|
|
|
*/
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
struct dentry *debugfs_create_file_unsafe(const char *name, umode_t mode,
|
|
|
|
|
struct dentry *parent, void *data,
|
|
|
|
|
const struct file_operations *fops)
|
|
|
|
|
{
|
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:13 +00:00
|
|
|
|
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 13:11:14 +00:00
|
|
|
return __debugfs_create_file(name, mode, parent, data,
|
|
|
|
|
fops ? &debugfs_open_proxy_file_operations :
|
|
|
|
|
&debugfs_noop_file_operations,
|
|
|
|
|
fops);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2016-03-22 13:11:15 +00:00
|
|
|
EXPORT_SYMBOL_GPL(debugfs_create_file_unsafe);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2015-01-21 20:03:40 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_create_file_size - create a file in the debugfs filesystem
|
|
|
|
|
* @name: a pointer to a string containing the name of the file to create.
|
|
|
|
|
* @mode: the permission that the file should have.
|
|
|
|
|
* @parent: a pointer to the parent dentry for this file. This should be a
|
|
|
|
|
* directory dentry if set. If this parameter is NULL, then the
|
|
|
|
|
* file will be created in the root of the debugfs filesystem.
|
|
|
|
|
* @data: a pointer to something that the caller will want to get to later
|
|
|
|
|
* on. The inode.i_private pointer will point to this value on
|
|
|
|
|
* the open() call.
|
|
|
|
|
* @fops: a pointer to a struct file_operations that should be used for
|
|
|
|
|
* this file.
|
|
|
|
|
* @file_size: initial file size
|
|
|
|
|
*
|
|
|
|
|
* This is the basic "create a file" function for debugfs. It allows for a
|
|
|
|
|
* wide range of flexibility in creating a file, or a directory (if you want
|
|
|
|
|
* to create a directory, the debugfs_create_dir() function is
|
|
|
|
|
* recommended to be used instead.)
|
|
|
|
|
*/
|
2020-03-09 16:36:40 +00:00
|
|
|
void debugfs_create_file_size(const char *name, umode_t mode,
|
|
|
|
|
struct dentry *parent, void *data,
|
|
|
|
|
const struct file_operations *fops,
|
|
|
|
|
loff_t file_size)
|
2015-01-21 20:03:40 +00:00
|
|
|
{
|
|
|
|
|
struct dentry *de = debugfs_create_file(name, mode, parent, data, fops);
|
|
|
|
|
|
2021-09-02 10:29:17 +00:00
|
|
|
if (!IS_ERR(de))
|
2015-03-17 22:25:59 +00:00
|
|
|
d_inode(de)->i_size = file_size;
|
2015-01-21 20:03:40 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_create_file_size);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_create_dir - create a directory in the debugfs filesystem
|
|
|
|
|
* @name: a pointer to a string containing the name of the directory to
|
|
|
|
|
* create.
|
|
|
|
|
* @parent: a pointer to the parent dentry for this file. This should be a
|
2014-02-18 13:54:36 +00:00
|
|
|
* directory dentry if set. If this parameter is NULL, then the
|
2005-04-16 22:20:36 +00:00
|
|
|
* directory will be created in the root of the debugfs filesystem.
|
|
|
|
|
*
|
|
|
|
|
* This function creates a directory in debugfs with the given name.
|
|
|
|
|
*
|
|
|
|
|
* This function will return a pointer to a dentry if it succeeds. This
|
|
|
|
|
* pointer must be passed to the debugfs_remove() function when the file is
|
|
|
|
|
* to be removed (no automatic cleanup happens if your module is unloaded,
|
2019-12-27 01:00:33 +00:00
|
|
|
* you are responsible here.) If an error occurs, ERR_PTR(-ERROR) will be
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
* returned.
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
2006-07-20 15:16:42 +00:00
|
|
|
* If debugfs is not enabled in the kernel, the value -%ENODEV will be
|
2007-02-14 06:57:47 +00:00
|
|
|
* returned.
|
2022-02-22 23:46:00 +00:00
|
|
|
*
|
|
|
|
|
* NOTE: it's expected that most callers should _ignore_ the errors returned
|
|
|
|
|
* by this function. Other debugfs functions handle the fact that the "dentry"
|
|
|
|
|
* passed to them could be an error and they don't crash in that case.
|
|
|
|
|
* Drivers should generally work fine even if debugfs fails to init anyway.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
|
|
|
|
struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
|
|
|
|
|
{
|
2015-01-25 19:02:31 +00:00
|
|
|
struct dentry *dentry = start_creating(name, parent);
|
2015-01-25 19:31:32 +00:00
|
|
|
struct inode *inode;
|
2015-01-25 19:02:31 +00:00
|
|
|
|
|
|
|
|
if (IS_ERR(dentry))
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
return dentry;
|
2015-01-25 19:02:31 +00:00
|
|
|
|
2020-07-16 07:15:11 +00:00
|
|
|
if (!(debugfs_allow & DEBUGFS_ALLOW_API)) {
|
|
|
|
|
failed_creating(dentry);
|
|
|
|
|
return ERR_PTR(-EPERM);
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-25 19:36:18 +00:00
|
|
|
inode = debugfs_get_inode(dentry->d_sb);
|
2019-07-03 07:16:53 +00:00
|
|
|
if (unlikely(!inode)) {
|
|
|
|
|
pr_err("out of free dentries, can not create directory '%s'\n",
|
|
|
|
|
name);
|
2015-01-25 19:39:49 +00:00
|
|
|
return failed_creating(dentry);
|
2019-07-03 07:16:53 +00:00
|
|
|
}
|
2015-01-25 19:31:32 +00:00
|
|
|
|
2018-06-13 03:52:16 +00:00
|
|
|
inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
|
2019-08-20 00:18:02 +00:00
|
|
|
inode->i_op = &debugfs_dir_inode_operations;
|
2015-01-25 19:36:18 +00:00
|
|
|
inode->i_fop = &simple_dir_operations;
|
|
|
|
|
|
|
|
|
|
/* directory inodes start off with i_nlink == 2 (for "." entry) */
|
|
|
|
|
inc_nlink(inode);
|
2015-01-25 19:31:32 +00:00
|
|
|
d_instantiate(dentry, inode);
|
2015-03-17 22:25:59 +00:00
|
|
|
inc_nlink(d_inode(dentry->d_parent));
|
|
|
|
|
fsnotify_mkdir(d_inode(dentry->d_parent), dentry);
|
2015-01-25 19:39:49 +00:00
|
|
|
return end_creating(dentry);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_create_dir);
|
|
|
|
|
|
2015-01-25 20:10:32 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_create_automount - create automount point in the debugfs filesystem
|
|
|
|
|
* @name: a pointer to a string containing the name of the file to create.
|
|
|
|
|
* @parent: a pointer to the parent dentry for this file. This should be a
|
|
|
|
|
* directory dentry if set. If this parameter is NULL, then the
|
|
|
|
|
* file will be created in the root of the debugfs filesystem.
|
|
|
|
|
* @f: function to be called when pathname resolution steps on that one.
|
|
|
|
|
* @data: opaque argument to pass to f().
|
|
|
|
|
*
|
|
|
|
|
* @f should return what ->d_automount() would.
|
|
|
|
|
*/
|
|
|
|
|
struct dentry *debugfs_create_automount(const char *name,
|
|
|
|
|
struct dentry *parent,
|
2017-01-31 17:06:16 +00:00
|
|
|
debugfs_automount_t f,
|
2015-01-25 20:10:32 +00:00
|
|
|
void *data)
|
|
|
|
|
{
|
|
|
|
|
struct dentry *dentry = start_creating(name, parent);
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
struct debugfs_fsdata *fsd;
|
2015-01-25 20:10:32 +00:00
|
|
|
struct inode *inode;
|
|
|
|
|
|
|
|
|
|
if (IS_ERR(dentry))
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
return dentry;
|
2015-01-25 20:10:32 +00:00
|
|
|
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
fsd = kzalloc(sizeof(*fsd), GFP_KERNEL);
|
|
|
|
|
if (!fsd) {
|
|
|
|
|
failed_creating(dentry);
|
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fsd->automount = f;
|
|
|
|
|
|
2020-07-16 07:15:11 +00:00
|
|
|
if (!(debugfs_allow & DEBUGFS_ALLOW_API)) {
|
|
|
|
|
failed_creating(dentry);
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
kfree(fsd);
|
2020-07-16 07:15:11 +00:00
|
|
|
return ERR_PTR(-EPERM);
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-25 20:10:32 +00:00
|
|
|
inode = debugfs_get_inode(dentry->d_sb);
|
2019-07-03 07:16:53 +00:00
|
|
|
if (unlikely(!inode)) {
|
|
|
|
|
pr_err("out of free dentries, can not create automount '%s'\n",
|
|
|
|
|
name);
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
kfree(fsd);
|
2015-01-25 20:10:32 +00:00
|
|
|
return failed_creating(dentry);
|
2019-07-03 07:16:53 +00:00
|
|
|
}
|
2015-01-25 20:10:32 +00:00
|
|
|
|
2016-03-09 15:18:07 +00:00
|
|
|
make_empty_dir_inode(inode);
|
2015-01-25 20:10:32 +00:00
|
|
|
inode->i_flags |= S_AUTOMOUNT;
|
|
|
|
|
inode->i_private = data;
|
debugfs: fix automount d_fsdata usage
debugfs_create_automount() stores a function pointer in d_fsdata,
but since commit 7c8d469877b1 ("debugfs: add support for more
elaborate ->d_fsdata") debugfs_release_dentry() will free it, now
conditionally on DEBUGFS_FSDATA_IS_REAL_FOPS_BIT, but that's not
set for the function pointer in automount. As a result, removing
an automount dentry would attempt to free the function pointer.
Luckily, the only user of this (tracing) never removes it.
Nevertheless, it's safer if we just handle the fsdata in one way,
namely either DEBUGFS_FSDATA_IS_REAL_FOPS_BIT or allocated. Thus,
change the automount to allocate it, and use the real_fops in the
data to indicate whether or not automount is filled, rather than
adding a type tag. At least for now this isn't actually needed,
but the next changes will require it.
Also check in debugfs_file_get() that it gets only called
on regular files, just to make things clearer.
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-11-24 16:25:24 +00:00
|
|
|
dentry->d_fsdata = fsd;
|
2016-02-09 10:30:29 +00:00
|
|
|
/* directory inodes start off with i_nlink == 2 (for "." entry) */
|
|
|
|
|
inc_nlink(inode);
|
2015-01-25 20:10:32 +00:00
|
|
|
d_instantiate(dentry, inode);
|
2016-02-09 10:30:29 +00:00
|
|
|
inc_nlink(d_inode(dentry->d_parent));
|
|
|
|
|
fsnotify_mkdir(d_inode(dentry->d_parent), dentry);
|
2015-01-25 20:10:32 +00:00
|
|
|
return end_creating(dentry);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(debugfs_create_automount);
|
|
|
|
|
|
2007-02-13 11:13:54 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_create_symlink- create a symbolic link in the debugfs filesystem
|
|
|
|
|
* @name: a pointer to a string containing the name of the symbolic link to
|
|
|
|
|
* create.
|
|
|
|
|
* @parent: a pointer to the parent dentry for this symbolic link. This
|
2014-02-18 13:54:36 +00:00
|
|
|
* should be a directory dentry if set. If this parameter is NULL,
|
2007-02-13 11:13:54 +00:00
|
|
|
* then the symbolic link will be created in the root of the debugfs
|
|
|
|
|
* filesystem.
|
|
|
|
|
* @target: a pointer to a string containing the path to the target of the
|
|
|
|
|
* symbolic link.
|
|
|
|
|
*
|
|
|
|
|
* This function creates a symbolic link with the given name in debugfs that
|
|
|
|
|
* links to the given target path.
|
|
|
|
|
*
|
|
|
|
|
* This function will return a pointer to a dentry if it succeeds. This
|
|
|
|
|
* pointer must be passed to the debugfs_remove() function when the symbolic
|
|
|
|
|
* link is to be removed (no automatic cleanup happens if your module is
|
2019-12-27 01:00:33 +00:00
|
|
|
* unloaded, you are responsible here.) If an error occurs, ERR_PTR(-ERROR)
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
* will be returned.
|
2007-02-13 11:13:54 +00:00
|
|
|
*
|
|
|
|
|
* If debugfs is not enabled in the kernel, the value -%ENODEV will be
|
2007-02-14 06:57:47 +00:00
|
|
|
* returned.
|
2007-02-13 11:13:54 +00:00
|
|
|
*/
|
|
|
|
|
struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
|
|
|
|
|
const char *target)
|
|
|
|
|
{
|
2015-01-25 19:02:31 +00:00
|
|
|
struct dentry *dentry;
|
2015-01-25 19:31:32 +00:00
|
|
|
struct inode *inode;
|
|
|
|
|
char *link = kstrdup(target, GFP_KERNEL);
|
2007-02-13 11:13:54 +00:00
|
|
|
if (!link)
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2007-02-13 11:13:54 +00:00
|
|
|
|
2015-01-25 19:02:31 +00:00
|
|
|
dentry = start_creating(name, parent);
|
|
|
|
|
if (IS_ERR(dentry)) {
|
2007-02-13 11:13:54 +00:00
|
|
|
kfree(link);
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
return dentry;
|
2015-01-25 19:02:31 +00:00
|
|
|
}
|
|
|
|
|
|
2015-01-25 19:36:18 +00:00
|
|
|
inode = debugfs_get_inode(dentry->d_sb);
|
2015-01-25 19:31:32 +00:00
|
|
|
if (unlikely(!inode)) {
|
2019-07-03 07:16:53 +00:00
|
|
|
pr_err("out of free dentries, can not create symlink '%s'\n",
|
|
|
|
|
name);
|
2015-01-25 19:02:31 +00:00
|
|
|
kfree(link);
|
2015-01-25 19:39:49 +00:00
|
|
|
return failed_creating(dentry);
|
2015-01-25 19:31:32 +00:00
|
|
|
}
|
2015-01-25 19:36:18 +00:00
|
|
|
inode->i_mode = S_IFLNK | S_IRWXUGO;
|
2019-08-20 00:18:02 +00:00
|
|
|
inode->i_op = &debugfs_symlink_inode_operations;
|
2015-05-02 14:27:18 +00:00
|
|
|
inode->i_link = link;
|
2015-01-25 19:31:32 +00:00
|
|
|
d_instantiate(dentry, inode);
|
2015-01-25 19:39:49 +00:00
|
|
|
return end_creating(dentry);
|
2007-02-13 11:13:54 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_create_symlink);
|
|
|
|
|
|
2019-05-26 14:34:07 +00:00
|
|
|
static void __debugfs_file_removed(struct dentry *dentry)
|
debugfs: implement per-file removal protection
Since commit 49d200deaa68 ("debugfs: prevent access to removed files'
private data"), accesses to a file's private data are protected from
concurrent removal by covering all file_operations with a SRCU read section
and sychronizing with those before returning from debugfs_remove() by means
of synchronize_srcu().
As pointed out by Johannes Berg, there are debugfs files with forever
blocking file_operations. Their corresponding SRCU read side sections would
block any debugfs_remove() forever as well, even unrelated ones. This
results in a livelock. Because a remover can't cancel any indefinite
blocking within foreign files, this is a problem.
Resolve this by introducing support for more granular protection on a
per-file basis.
This is implemented by introducing an 'active_users' refcount_t to the
per-file struct debugfs_fsdata state. At file creation time, it is set to
one and a debugfs_remove() will drop that initial reference. The new
debugfs_file_get() and debugfs_file_put(), intended to be used in place of
former debugfs_use_file_start() and debugfs_use_file_finish(), increment
and decrement it respectively. Once the count drops to zero,
debugfs_file_put() will signal a completion which is possibly being waited
for from debugfs_remove().
Thus, as long as there is a debugfs_file_get() not yet matched by a
corresponding debugfs_file_put() around, debugfs_remove() will block.
Actual users of debugfs_use_file_start() and -finish() will get converted
to the new debugfs_file_get() and debugfs_file_put() by followup patches.
Fixes: 49d200deaa68 ("debugfs: prevent access to removed files' private data")
Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-30 23:15:48 +00:00
|
|
|
{
|
|
|
|
|
struct debugfs_fsdata *fsd;
|
|
|
|
|
|
debugfs: defer debugfs_fsdata allocation to first usage
Currently, __debugfs_create_file allocates one struct debugfs_fsdata
instance for every file created. However, there are potentially many
debugfs file around, most of which are never touched by userspace.
Thus, defer the allocations to the first usage, i.e. to the first
debugfs_file_get().
A dentry's ->d_fsdata starts out to point to the "real", user provided
fops. After a debugfs_fsdata instance has been allocated (and the real
fops pointer has been moved over into its ->real_fops member),
->d_fsdata is changed to point to it from then on. The two cases are
distinguished by setting BIT(0) for the real fops case.
struct debugfs_fsdata's foremost purpose is to track active users and to
make debugfs_remove() block until they are done. Since no debugfs_fsdata
instance means no active users, make debugfs_remove() return immediately
in this case.
Take care of possible races between debugfs_file_get() and
debugfs_remove(): either debugfs_remove() must see a debugfs_fsdata
instance and thus wait for possible active users or debugfs_file_get() must
see a dead dentry and return immediately.
Make a dentry's ->d_release(), i.e. debugfs_release_dentry(), check whether
->d_fsdata is actually a debugfs_fsdata instance before kfree()ing it.
Similarly, make debugfs_real_fops() check whether ->d_fsdata is actually
a debugfs_fsdata instance before returning it, otherwise emit a warning.
The set of possible error codes returned from debugfs_file_get() has grown
from -EIO to -EIO and -ENOMEM. Make open_proxy_open() and full_proxy_open()
pass the -ENOMEM onwards to their callers.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-30 23:15:54 +00:00
|
|
|
/*
|
|
|
|
|
* Paired with the closing smp_mb() implied by a successful
|
|
|
|
|
* cmpxchg() in debugfs_file_get(): either
|
|
|
|
|
* debugfs_file_get() must see a dead dentry or we must see a
|
|
|
|
|
* debugfs_fsdata instance at ->d_fsdata here (or both).
|
|
|
|
|
*/
|
|
|
|
|
smp_mb();
|
|
|
|
|
fsd = READ_ONCE(dentry->d_fsdata);
|
|
|
|
|
if ((unsigned long)fsd & DEBUGFS_FSDATA_IS_REAL_FOPS_BIT)
|
|
|
|
|
return;
|
2023-11-24 16:25:25 +00:00
|
|
|
|
2024-02-29 14:36:20 +00:00
|
|
|
/* if this was the last reference, we're done */
|
|
|
|
|
if (refcount_dec_and_test(&fsd->active_users))
|
2023-11-24 16:25:26 +00:00
|
|
|
return;
|
|
|
|
|
|
2024-02-29 14:36:20 +00:00
|
|
|
/*
|
|
|
|
|
* If there's still a reference, the code that obtained it can
|
|
|
|
|
* be in different states:
|
|
|
|
|
* - The common case of not using cancellations, or already
|
|
|
|
|
* after debugfs_leave_cancellation(), where we just need
|
|
|
|
|
* to wait for debugfs_file_put() which signals the completion;
|
|
|
|
|
* - inside a cancellation section, i.e. between
|
|
|
|
|
* debugfs_enter_cancellation() and debugfs_leave_cancellation(),
|
|
|
|
|
* in which case we need to trigger the ->cancel() function,
|
|
|
|
|
* and then wait for debugfs_file_put() just like in the
|
|
|
|
|
* previous case;
|
|
|
|
|
* - before debugfs_enter_cancellation() (but obviously after
|
|
|
|
|
* debugfs_file_get()), in which case we may not see the
|
|
|
|
|
* cancellation in the list on the first round of the loop,
|
|
|
|
|
* but debugfs_enter_cancellation() signals the completion
|
|
|
|
|
* after adding it, so this code gets woken up to call the
|
|
|
|
|
* ->cancel() function.
|
|
|
|
|
*/
|
2023-11-24 16:25:26 +00:00
|
|
|
while (refcount_read(&fsd->active_users)) {
|
|
|
|
|
struct debugfs_cancellation *c;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Lock the cancellations. Note that the cancellations
|
|
|
|
|
* structs are meant to be on the stack, so we need to
|
|
|
|
|
* ensure we either use them here or don't touch them,
|
|
|
|
|
* and debugfs_leave_cancellation() will wait for this
|
|
|
|
|
* to be finished processing before exiting one. It may
|
|
|
|
|
* of course win and remove the cancellation, but then
|
|
|
|
|
* chances are we never even got into this bit, we only
|
|
|
|
|
* do if the refcount isn't zero already.
|
|
|
|
|
*/
|
|
|
|
|
mutex_lock(&fsd->cancellations_mtx);
|
|
|
|
|
while ((c = list_first_entry_or_null(&fsd->cancellations,
|
|
|
|
|
typeof(*c), list))) {
|
|
|
|
|
list_del_init(&c->list);
|
|
|
|
|
c->cancel(dentry, c->cancel_data);
|
|
|
|
|
}
|
|
|
|
|
mutex_unlock(&fsd->cancellations_mtx);
|
|
|
|
|
|
debugfs: implement per-file removal protection
Since commit 49d200deaa68 ("debugfs: prevent access to removed files'
private data"), accesses to a file's private data are protected from
concurrent removal by covering all file_operations with a SRCU read section
and sychronizing with those before returning from debugfs_remove() by means
of synchronize_srcu().
As pointed out by Johannes Berg, there are debugfs files with forever
blocking file_operations. Their corresponding SRCU read side sections would
block any debugfs_remove() forever as well, even unrelated ones. This
results in a livelock. Because a remover can't cancel any indefinite
blocking within foreign files, this is a problem.
Resolve this by introducing support for more granular protection on a
per-file basis.
This is implemented by introducing an 'active_users' refcount_t to the
per-file struct debugfs_fsdata state. At file creation time, it is set to
one and a debugfs_remove() will drop that initial reference. The new
debugfs_file_get() and debugfs_file_put(), intended to be used in place of
former debugfs_use_file_start() and debugfs_use_file_finish(), increment
and decrement it respectively. Once the count drops to zero,
debugfs_file_put() will signal a completion which is possibly being waited
for from debugfs_remove().
Thus, as long as there is a debugfs_file_get() not yet matched by a
corresponding debugfs_file_put() around, debugfs_remove() will block.
Actual users of debugfs_use_file_start() and -finish() will get converted
to the new debugfs_file_get() and debugfs_file_put() by followup patches.
Fixes: 49d200deaa68 ("debugfs: prevent access to removed files' private data")
Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-30 23:15:48 +00:00
|
|
|
wait_for_completion(&fsd->active_users_drained);
|
2023-11-24 16:25:26 +00:00
|
|
|
}
|
debugfs: implement per-file removal protection
Since commit 49d200deaa68 ("debugfs: prevent access to removed files'
private data"), accesses to a file's private data are protected from
concurrent removal by covering all file_operations with a SRCU read section
and sychronizing with those before returning from debugfs_remove() by means
of synchronize_srcu().
As pointed out by Johannes Berg, there are debugfs files with forever
blocking file_operations. Their corresponding SRCU read side sections would
block any debugfs_remove() forever as well, even unrelated ones. This
results in a livelock. Because a remover can't cancel any indefinite
blocking within foreign files, this is a problem.
Resolve this by introducing support for more granular protection on a
per-file basis.
This is implemented by introducing an 'active_users' refcount_t to the
per-file struct debugfs_fsdata state. At file creation time, it is set to
one and a debugfs_remove() will drop that initial reference. The new
debugfs_file_get() and debugfs_file_put(), intended to be used in place of
former debugfs_use_file_start() and debugfs_use_file_finish(), increment
and decrement it respectively. Once the count drops to zero,
debugfs_file_put() will signal a completion which is possibly being waited
for from debugfs_remove().
Thus, as long as there is a debugfs_file_get() not yet matched by a
corresponding debugfs_file_put() around, debugfs_remove() will block.
Actual users of debugfs_use_file_start() and -finish() will get converted
to the new debugfs_file_get() and debugfs_file_put() by followup patches.
Fixes: 49d200deaa68 ("debugfs: prevent access to removed files' private data")
Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-30 23:15:48 +00:00
|
|
|
}
|
|
|
|
|
|
2019-11-18 14:43:10 +00:00
|
|
|
static void remove_one(struct dentry *victim)
|
2008-07-01 13:14:51 +00:00
|
|
|
{
|
2019-11-18 14:43:10 +00:00
|
|
|
if (d_is_reg(victim))
|
|
|
|
|
__debugfs_file_removed(victim);
|
|
|
|
|
simple_release_fs(&debugfs_mount, &debugfs_mount_count);
|
2008-07-01 13:14:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2019-11-18 14:43:10 +00:00
|
|
|
* debugfs_remove - recursively removes a directory
|
2015-09-07 17:03:15 +00:00
|
|
|
* @dentry: a pointer to a the dentry of the directory to be removed. If this
|
|
|
|
|
* parameter is NULL or an error value, nothing will be done.
|
2008-07-01 13:14:51 +00:00
|
|
|
*
|
|
|
|
|
* This function recursively removes a directory tree in debugfs that
|
|
|
|
|
* was previously created with a call to another debugfs function
|
|
|
|
|
* (like debugfs_create_file() or variants thereof.)
|
|
|
|
|
*
|
|
|
|
|
* This function is required to be called in order for the file to be
|
|
|
|
|
* removed, no automatic cleanup of files will happen when a module is
|
|
|
|
|
* removed, you are responsible here.
|
|
|
|
|
*/
|
2019-11-18 14:43:10 +00:00
|
|
|
void debugfs_remove(struct dentry *dentry)
|
2008-07-01 13:14:51 +00:00
|
|
|
{
|
2012-05-23 13:13:07 +00:00
|
|
|
if (IS_ERR_OR_NULL(dentry))
|
2008-07-01 13:14:51 +00:00
|
|
|
return;
|
|
|
|
|
|
2019-11-18 14:43:10 +00:00
|
|
|
simple_pin_fs(&debug_fs_type, &debugfs_mount, &debugfs_mount_count);
|
|
|
|
|
simple_recursive_removal(dentry, remove_one);
|
|
|
|
|
simple_release_fs(&debugfs_mount, &debugfs_mount_count);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2019-11-18 14:43:10 +00:00
|
|
|
EXPORT_SYMBOL_GPL(debugfs_remove);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2022-09-02 14:59:15 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_lookup_and_remove - lookup a directory or file and recursively remove it
|
|
|
|
|
* @name: a pointer to a string containing the name of the item to look up.
|
|
|
|
|
* @parent: a pointer to the parent dentry of the item.
|
|
|
|
|
*
|
|
|
|
|
* This is the equlivant of doing something like
|
|
|
|
|
* debugfs_remove(debugfs_lookup(..)) but with the proper reference counting
|
|
|
|
|
* handled for the directory being looked up.
|
|
|
|
|
*/
|
|
|
|
|
void debugfs_lookup_and_remove(const char *name, struct dentry *parent)
|
|
|
|
|
{
|
|
|
|
|
struct dentry *dentry;
|
|
|
|
|
|
|
|
|
|
dentry = debugfs_lookup(name, parent);
|
|
|
|
|
if (!dentry)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
debugfs_remove(dentry);
|
|
|
|
|
dput(dentry);
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_lookup_and_remove);
|
|
|
|
|
|
2007-05-09 11:19:52 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_rename - rename a file/directory in the debugfs filesystem
|
|
|
|
|
* @old_dir: a pointer to the parent dentry for the renamed object. This
|
|
|
|
|
* should be a directory dentry.
|
|
|
|
|
* @old_dentry: dentry of an object to be renamed.
|
|
|
|
|
* @new_dir: a pointer to the parent dentry where the object should be
|
|
|
|
|
* moved. This should be a directory dentry.
|
|
|
|
|
* @new_name: a pointer to a string containing the target name.
|
|
|
|
|
*
|
|
|
|
|
* This function renames a file/directory in debugfs. The target must not
|
|
|
|
|
* exist for rename to succeed.
|
|
|
|
|
*
|
|
|
|
|
* This function will return a pointer to old_dentry (which is updated to
|
2023-02-20 12:47:21 +00:00
|
|
|
* reflect renaming) if it succeeds. If an error occurs, ERR_PTR(-ERROR)
|
2023-02-08 03:56:34 +00:00
|
|
|
* will be returned.
|
2007-05-09 11:19:52 +00:00
|
|
|
*
|
|
|
|
|
* If debugfs is not enabled in the kernel, the value -%ENODEV will be
|
|
|
|
|
* returned.
|
|
|
|
|
*/
|
|
|
|
|
struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
|
|
|
|
|
struct dentry *new_dir, const char *new_name)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
struct dentry *dentry = NULL, *trap;
|
2017-07-07 18:51:19 +00:00
|
|
|
struct name_snapshot old_name;
|
2007-05-09 11:19:52 +00:00
|
|
|
|
2019-01-23 10:27:02 +00:00
|
|
|
if (IS_ERR(old_dir))
|
|
|
|
|
return old_dir;
|
|
|
|
|
if (IS_ERR(new_dir))
|
|
|
|
|
return new_dir;
|
|
|
|
|
if (IS_ERR_OR_NULL(old_dentry))
|
|
|
|
|
return old_dentry;
|
|
|
|
|
|
2007-05-09 11:19:52 +00:00
|
|
|
trap = lock_rename(new_dir, old_dir);
|
|
|
|
|
/* Source or destination directories don't exist? */
|
2015-03-17 22:25:59 +00:00
|
|
|
if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir))
|
2007-05-09 11:19:52 +00:00
|
|
|
goto exit;
|
|
|
|
|
/* Source does not exist, cyclic rename, or mountpoint? */
|
2015-03-17 22:25:59 +00:00
|
|
|
if (d_really_is_negative(old_dentry) || old_dentry == trap ||
|
2007-05-09 11:19:52 +00:00
|
|
|
d_mountpoint(old_dentry))
|
|
|
|
|
goto exit;
|
|
|
|
|
dentry = lookup_one_len(new_name, new_dir, strlen(new_name));
|
|
|
|
|
/* Lookup failed, cyclic rename or target exists? */
|
2015-03-17 22:25:59 +00:00
|
|
|
if (IS_ERR(dentry) || dentry == trap || d_really_is_positive(dentry))
|
2007-05-09 11:19:52 +00:00
|
|
|
goto exit;
|
|
|
|
|
|
2017-07-07 18:51:19 +00:00
|
|
|
take_dentry_name_snapshot(&old_name, old_dentry);
|
2007-05-09 11:19:52 +00:00
|
|
|
|
2023-01-13 11:49:17 +00:00
|
|
|
error = simple_rename(&nop_mnt_idmap, d_inode(old_dir), old_dentry,
|
2021-01-21 13:19:43 +00:00
|
|
|
d_inode(new_dir), dentry, 0);
|
2007-05-09 11:19:52 +00:00
|
|
|
if (error) {
|
2017-07-07 18:51:19 +00:00
|
|
|
release_dentry_name_snapshot(&old_name);
|
2007-05-09 11:19:52 +00:00
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
d_move(old_dentry, dentry);
|
2019-04-26 17:21:24 +00:00
|
|
|
fsnotify_move(d_inode(old_dir), d_inode(new_dir), &old_name.name,
|
VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry)
Convert the following where appropriate:
(1) S_ISLNK(dentry->d_inode) to d_is_symlink(dentry).
(2) S_ISREG(dentry->d_inode) to d_is_reg(dentry).
(3) S_ISDIR(dentry->d_inode) to d_is_dir(dentry). This is actually more
complicated than it appears as some calls should be converted to
d_can_lookup() instead. The difference is whether the directory in
question is a real dir with a ->lookup op or whether it's a fake dir with
a ->d_automount op.
In some circumstances, we can subsume checks for dentry->d_inode not being
NULL into this, provided we the code isn't in a filesystem that expects
d_inode to be NULL if the dirent really *is* negative (ie. if we're going to
use d_inode() rather than d_backing_inode() to get the inode pointer).
Note that the dentry type field may be set to something other than
DCACHE_MISS_TYPE when d_inode is NULL in the case of unionmount, where the VFS
manages the fall-through from a negative dentry to a lower layer. In such a
case, the dentry type of the negative union dentry is set to the same as the
type of the lower dentry.
However, if you know d_inode is not NULL at the call site, then you can use
the d_is_xxx() functions even in a filesystem.
There is one further complication: a 0,0 chardev dentry may be labelled
DCACHE_WHITEOUT_TYPE rather than DCACHE_SPECIAL_TYPE. Strictly, this was
intended for special directory entry types that don't have attached inodes.
The following perl+coccinelle script was used:
use strict;
my @callers;
open($fd, 'git grep -l \'S_IS[A-Z].*->d_inode\' |') ||
die "Can't grep for S_ISDIR and co. callers";
@callers = <$fd>;
close($fd);
unless (@callers) {
print "No matches\n";
exit(0);
}
my @cocci = (
'@@',
'expression E;',
'@@',
'',
'- S_ISLNK(E->d_inode->i_mode)',
'+ d_is_symlink(E)',
'',
'@@',
'expression E;',
'@@',
'',
'- S_ISDIR(E->d_inode->i_mode)',
'+ d_is_dir(E)',
'',
'@@',
'expression E;',
'@@',
'',
'- S_ISREG(E->d_inode->i_mode)',
'+ d_is_reg(E)' );
my $coccifile = "tmp.sp.cocci";
open($fd, ">$coccifile") || die $coccifile;
print($fd "$_\n") || die $coccifile foreach (@cocci);
close($fd);
foreach my $file (@callers) {
chomp $file;
print "Processing ", $file, "\n";
system("spatch", "--sp-file", $coccifile, $file, "--in-place", "--no-show-diff") == 0 ||
die "spatch failed";
}
[AV: overlayfs parts skipped]
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-01-29 12:02:35 +00:00
|
|
|
d_is_dir(old_dentry),
|
2007-06-07 16:19:32 +00:00
|
|
|
NULL, old_dentry);
|
2017-07-07 18:51:19 +00:00
|
|
|
release_dentry_name_snapshot(&old_name);
|
2007-05-09 11:19:52 +00:00
|
|
|
unlock_rename(new_dir, old_dir);
|
|
|
|
|
dput(dentry);
|
|
|
|
|
return old_dentry;
|
|
|
|
|
exit:
|
|
|
|
|
if (dentry && !IS_ERR(dentry))
|
|
|
|
|
dput(dentry);
|
|
|
|
|
unlock_rename(new_dir, old_dir);
|
debugfs: return error values, not NULL
When an error happens, debugfs should return an error pointer value, not
NULL. This will prevent the totally theoretical error where a debugfs
call fails due to lack of memory, returning NULL, and that dentry value
is then passed to another debugfs call, which would end up succeeding,
creating a file at the root of the debugfs tree, but would then be
impossible to remove (because you can not remove the directory NULL).
So, to make everyone happy, always return errors, this makes the users
of debugfs much simpler (they do not have to ever check the return
value), and everyone can rest easy.
Reported-by: Gary R Hook <ghook@amd.com>
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Masami Hiramatsu <mhiramat@kernel.org>
Reported-by: Michal Hocko <mhocko@kernel.org>
Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reported-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-23 10:28:14 +00:00
|
|
|
if (IS_ERR(dentry))
|
|
|
|
|
return dentry;
|
|
|
|
|
return ERR_PTR(-EINVAL);
|
2007-05-09 11:19:52 +00:00
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_rename);
|
|
|
|
|
|
2009-03-22 22:10:44 +00:00
|
|
|
/**
|
|
|
|
|
* debugfs_initialized - Tells whether debugfs has been registered
|
|
|
|
|
*/
|
|
|
|
|
bool debugfs_initialized(void)
|
|
|
|
|
{
|
|
|
|
|
return debugfs_registered;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(debugfs_initialized);
|
|
|
|
|
|
2020-07-16 07:15:11 +00:00
|
|
|
static int __init debugfs_kernel(char *str)
|
|
|
|
|
{
|
|
|
|
|
if (str) {
|
|
|
|
|
if (!strcmp(str, "on"))
|
|
|
|
|
debugfs_allow = DEBUGFS_ALLOW_API | DEBUGFS_ALLOW_MOUNT;
|
|
|
|
|
else if (!strcmp(str, "no-mount"))
|
|
|
|
|
debugfs_allow = DEBUGFS_ALLOW_API;
|
|
|
|
|
else if (!strcmp(str, "off"))
|
|
|
|
|
debugfs_allow = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
early_param("debugfs", debugfs_kernel);
|
2005-04-16 22:20:36 +00:00
|
|
|
static int __init debugfs_init(void)
|
|
|
|
|
{
|
|
|
|
|
int retval;
|
|
|
|
|
|
2020-07-16 07:15:11 +00:00
|
|
|
if (!(debugfs_allow & DEBUGFS_ALLOW_MOUNT))
|
|
|
|
|
return -EPERM;
|
|
|
|
|
|
2015-05-13 22:35:41 +00:00
|
|
|
retval = sysfs_create_mount_point(kernel_kobj, "debug");
|
|
|
|
|
if (retval)
|
|
|
|
|
return retval;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
retval = register_filesystem(&debug_fs_type);
|
|
|
|
|
if (retval)
|
2015-05-13 22:35:41 +00:00
|
|
|
sysfs_remove_mount_point(kernel_kobj, "debug");
|
2009-03-22 22:10:44 +00:00
|
|
|
else
|
|
|
|
|
debugfs_registered = true;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
core_initcall(debugfs_init);
|