Re: [PATCH v5 5/7] blktrace: fix debugfs use after free

[Luis Chamberlain <mcgrof@kernel.org>]

On Wed, May 27, 2020 at 06:15:10PM -0700, Bart Van Assche wrote:
> On 2020-05-26 20:12, Luis Chamberlain wrote:
> > +	/*
> > +	 * Blktrace needs a debugsfs name even for queues that don't register
> > +	 * a gendisk, so it lazily registers the debugfs directory.  But that
> > +	 * can get us into a situation where a SCSI device is found, with no
> > +	 * driver for it (yet).  Then blktrace is used on the device, creating
> > +	 * the debugfs directory, and only after that a drivers is loaded. In
>                                                         ^^^^^^^
>                                                         driver?

Fixed.

> > @@ -494,6 +490,38 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
> >  	 */
> >  	strreplace(buts->name, '/', '_');
> >  
> > +	/*
> > +	 * We also have to use a partition directory if a partition is
> > +	 * being worked on, even though the same request_queue is shared.
> > +	 */
> > +	if (bdev && bdev != bdev->bd_contains)
> > +		dir = bdev->bd_part->debugfs_dir;
> 
> Please balance braces in if-statements as required by the kernel coding style.

Sure thing.

> > +	else {
> > +		/*
> > +		 * For queues that do not have a gendisk attached to them, the
> > +		 * debugfs directory will not have been created at setup time.
> > +		 * Create it here lazily, it will only be removed when the
> > +		 * queue is torn down.
> > +		 */
> 
> Is the above comment perhaps a reference to blk_register_queue()? If so, please
> mention the name of that function explicitly.

No, it actually is in reference to *add_disk()* helpers, so I'll add
that there. scsi-generic is the ugly child we have which we don't talk
too much about, not sure if we have a proper name for *non* add_disk()
related use of the request_queue... oh and mmc I think?

I've changed this to (ignore spaces, I'll adjust):

* For queues that do not have a gendisk attached to them, that is those
* which do not use *add_disk*() or similar, the debugfs directory will
* not have been created at setup time.  This is the case for
* scsi-generic drivers.  Create it here lazily, it will only be removed
* when the queue is torn down.

> > +		if (!q->debugfs_dir) {
> > +			q->debugfs_dir =
> > +				debugfs_create_dir(buts->name,
> > +						   blk_debugfs_root);
> > +		}
> > +		dir = q->debugfs_dir;
> > +	}
> > +
> > +	/*
> > +	 * As blktrace relies on debugfs for its interface the debugfs directory
> > +	 * is required, contrary to the usual mantra of not checking for debugfs
> > +	 * files or directories.
> > +	 */
> > +	if (IS_ERR_OR_NULL(q->debugfs_dir)) {
> > +		pr_warn("debugfs_dir not present for %s so skipping\n",
> > +			buts->name);
> > +		return -ENOENT;
> > +	}
> 
> How are do_blk_trace_setup() calls serialized against the debugfs directory
> creation code in blk_register_queue()? Perhaps via q->blk_trace_mutex?

Yes, hence the mutex lock that Christoph added as an alternative to
the whole symlink stuff for scsi-generic and addressing this on the
class interface driver.

> Are
> mutex lock and unlock calls for that mutex perhaps missing from
> compat_blk_trace_setup()?

No, because that is called from blk_trace_ioctl(), and that holds the
mutex.

> How about adding a lockdep_assert_held(&q->blk_trace_mutex) statement in
> do_blk_trace_setup()?

Sure, however that doesn't seem part of the fix. How about adding that
as a separat patch?

  Luis