Re: [PATCH v3 4/6] blktrace: fix debugfs use after free

From: Luis Chamberlain <mcgrof@kernel.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org,
	gregkh@linuxfoundation.org, rostedt@goodmis.org,
	mingo@redhat.com, jack@suse.cz, ming.lei@redhat.com,
	nstange@suse.de, akpm@linux-foundation.org, mhocko@suse.com,
	yukuai3@huawei.com, linux-block@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, Omar Sandoval <osandov@fb.com>,
	Hannes Reinecke <hare@suse.com>, Michal Hocko <mhocko@kernel.org>,
	syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com
Subject: Re: [PATCH v3 4/6] blktrace: fix debugfs use after free
Date: Wed, 29 Apr 2020 11:45:42 +0000	[thread overview]
Message-ID: <20200429114542.GJ11244@42.do-not-panic.com> (raw)
In-Reply-To: <20200429112637.GD21892@infradead.org>

On Wed, Apr 29, 2020 at 04:26:37AM -0700, Christoph Hellwig wrote:
> I can't say I'm a fan of all these long backtraces in commit logs..
> 
> > +static struct dentry *blk_debugfs_dir_register(const char *name)
> > +{
> > +	return debugfs_create_dir(name, blk_debugfs_root);
> > +}
> 
> I don't think we really need this helper.

We don't export blk_debugfs_root, didn't think we'd want to, and
since only a few scew funky drivers would use the struct gendisk
and also support BLKTRACE, I didn't think we'd want to export it
now.

A new block private symbol namespace alright?

> > +void blk_part_debugfs_unregister(struct hd_struct *p)
> > +{
> > +	debugfs_remove_recursive(p->debugfs_dir);
> > +	p->debugfs_dir = NULL;
> > +}
> 
> Why do we need to clear the pointer here?

True, not needed for partition.

> > +#ifdef CONFIG_DEBUG_FS
> > +	/* Currently only used by kernel/trace/blktrace.c */
> > +	struct dentry *debugfs_dir;
> > +#endif
> 
> Does that comment really add value?

I'll nuke it.

> > +static struct dentry *blk_trace_debugfs_dir(struct block_device *bdev,
> > +					    struct request_queue *q)
> >  {
> > +	struct hd_struct *p = NULL;
> >  
> > +	 * Some drivers like scsi-generic use a NULL block device. For
> > +	 * other drivers when bdev != bdev->bd_contain we are doing a blktrace
> > +	 * on a parition, otherwise we know we are working on the whole
> > +	 * disk, and for that the request_queue already has its own debugfs_dir.
> > +	 * which we have been using for other things other than blktrace.
> > +	 */
> > +	if (bdev && bdev != bdev->bd_contains)
> > +		p = bdev->bd_part;
> >  
> > +	if (p)
> > +		return p->debugfs_dir;
> > +
> > +	return q->debugfs_dir;
> 
> This could be simplified down to:
> 
> 	if (bdev && bdev != bdev->bd_contains)
> 		return bdev->bd_part->debugfs_dir;
> 	return q->debugfs_dir;
>
> Given that bd_part is in __blkdev_get very near bd_contains.

Ah neat.

> Also given that this patch completely rewrites blk_trace_debugfs_dir is
> there any point in the previous patch?

Still think it helps with making this patch easier to read, but I don't
care, lemme know if I should just fold it.

> > @@ -491,6 +500,7 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
> >  	struct dentry *dir = NULL;
> >  	int ret;
> >  
> > +
> >  	if (!buts->buf_size || !buts->buf_nr)
> >  		return -EINVAL;
> >  
> 
> Spurious whitespace change.

Will nuke.

  Luis