On 4/4/21 5:08 AM, Greg Kroah-Hartman wrote:
> On Sat, Apr 03, 2021 at 07:45:04PM -0500, Samuel Holland wrote:
>> This function uses devres to clean up its allocation, but it never removes
>> the
>> file referencing that allocation. This causes a use-after-free and an oops if
>> the file is accessed after the owning device is removed.
>
> What in-kernel user of this is having this problem?
>
> The driver should clean up the debugfs file, it is not the debugfs
> core's job to auto-remove the file.
The function returns void. debugfs_remove() requires the dentry pointer,
which the caller does not have. How is the driver expected to clean up
the file?
Do you expect the driver to remove the file as a side effect of
recursively removing its parent? If so, that conflicts with the
documentation for debugfs_create_devm_seqfile(), which describes NULL as
a valid parent:
@parent: a pointer to the parent dentry for this file. This should be a
directory dentry if set. If this parameter is %NULL, then the
file will be created in the root of the debugfs filesystem.
There is one in-kernel caller that uses a NULL parent, in
drivers/gpio/gpio-tegra.c
> The resource is what is being cleaned up by the devm usage in debugfs,
> that's all, not the file.
>
> Please fix up the driver that is creating the file but then not removing
> it.
In that case, the function documentation should be modified to state
that the driver is responsible for removing the parent directory, and
that NULL is not a valid parent here. I can send a patch doing that instead.
Samuel
