From: Christoph Hellwig <hch@infradead.org>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: Christoph Hellwig <hch@infradead.org>, Jan Kara <jack@suse.cz>,
axboe@kernel.dk, viro@zeniv.linux.org.uk, bvanassche@acm.org,
gregkh@linuxfoundation.org, rostedt@goodmis.org,
mingo@redhat.com, ming.lei@redhat.com, nstange@suse.de,
akpm@linux-foundation.org, mhocko@suse.com, yukuai3@huawei.com,
martin.petersen@oracle.com, jejb@linux.ibm.com,
linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Omar Sandoval <osandov@fb.com>, Hannes Reinecke <hare@suse.com>,
Michal Hocko <mhocko@kernel.org>,
syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com
Subject: Re: [PATCH v6 6/6] blktrace: fix debugfs use after free
Date: Tue, 9 Jun 2020 23:42:34 -0700 [thread overview]
Message-ID: <20200610064234.GB24975@infradead.org> (raw)
In-Reply-To: <20200609175359.GR11244@42.do-not-panic.com>
On Tue, Jun 09, 2020 at 05:53:59PM +0000, Luis Chamberlain wrote:
> > Feel free to add more comments, but please try to keep them short
> > and crisp. At the some point long comments really distract from what
> > is going on.
>
> Sure.
>
> Come to think of it, given the above, I think we can also do way with
> the the partition stuff too, and rely on the buts->name too. I'll try
> this out, and test it.
Yes, the sg path should work for partitions as well. That should not
only simplify the code, but also the comments, we can do something like
the full patch below (incorporating your original one). This doesn't
include the error check on the creation - I think that check probably
is a good idea for this case based on the comments in the old patch, but
also a separate issue that should go into another patch on top.
diff --git a/block/blk-mq-debugfs.c b/block/blk-mq-debugfs.c
index 15df3a36e9fa43..a2800bc56fb4d3 100644
--- a/block/blk-mq-debugfs.c
+++ b/block/blk-mq-debugfs.c
@@ -824,9 +824,6 @@ void blk_mq_debugfs_register(struct request_queue *q)
struct blk_mq_hw_ctx *hctx;
int i;
- q->debugfs_dir = debugfs_create_dir(kobject_name(q->kobj.parent),
- blk_debugfs_root);
-
debugfs_create_files(q->debugfs_dir, q, blk_mq_debugfs_queue_attrs);
/*
@@ -857,9 +854,7 @@ void blk_mq_debugfs_register(struct request_queue *q)
void blk_mq_debugfs_unregister(struct request_queue *q)
{
- debugfs_remove_recursive(q->debugfs_dir);
q->sched_debugfs_dir = NULL;
- q->debugfs_dir = NULL;
}
static void blk_mq_debugfs_register_ctx(struct blk_mq_hw_ctx *hctx,
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index 561624d4cc4e7f..4e9909e1b25736 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -11,6 +11,7 @@
#include <linux/blktrace_api.h>
#include <linux/blk-mq.h>
#include <linux/blk-cgroup.h>
+#include <linux/debugfs.h>
#include "blk.h"
#include "blk-mq.h"
@@ -918,6 +919,7 @@ static void blk_release_queue(struct kobject *kobj)
blk_trace_shutdown(q);
+ debugfs_remove_recursive(q->debugfs_dir);
if (queue_is_mq(q))
blk_mq_debugfs_unregister(q);
@@ -989,6 +991,9 @@ int blk_register_queue(struct gendisk *disk)
goto unlock;
}
+ q->debugfs_dir = debugfs_create_dir(kobject_name(q->kobj.parent),
+ blk_debugfs_root);
+
if (queue_is_mq(q)) {
__blk_mq_register_dev(dev, q);
blk_mq_debugfs_register(q);
diff --git a/block/blk.h b/block/blk.h
index b5d1f0fc6547c7..499308c6ab3b0f 100644
--- a/block/blk.h
+++ b/block/blk.h
@@ -14,9 +14,7 @@
/* Max future timer expiry for timeouts */
#define BLK_MAX_TIMEOUT (5 * HZ)
-#ifdef CONFIG_DEBUG_FS
extern struct dentry *blk_debugfs_root;
-#endif
struct blk_flush_queue {
unsigned int flush_pending_idx:1;
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index fc88330a3d97ed..b49c7c741bc9f3 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -574,8 +574,8 @@ struct request_queue {
struct list_head tag_set_list;
struct bio_set bio_split;
-#ifdef CONFIG_BLK_DEBUG_FS
struct dentry *debugfs_dir;
+#ifdef CONFIG_BLK_DEBUG_FS
struct dentry *sched_debugfs_dir;
struct dentry *rqos_debugfs_dir;
#endif
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index fee5c8d8916690..6eb364b393714f 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -509,10 +509,15 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
if (!bt->msg_data)
goto err;
- ret = -ENOENT;
-
- dir = debugfs_lookup(buts->name, blk_debugfs_root);
- if (!dir)
+ /*
+ * When tracing a whole block device, reuse the existing debugfs
+ * directory created by the block layer. For partitions or character
+ * devices (e.g. /dev/sg), create a new debugfs directory that will be
+ * removed once the trace ends.
+ */
+ if (bdev && bdev == bdev->bd_contains)
+ dir = q->debugfs_dir;
+ else
bt->dir = dir = debugfs_create_dir(buts->name, blk_debugfs_root);
bt->dev = dev;
@@ -553,8 +558,6 @@ static int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
ret = 0;
err:
- if (dir && !bt->dir)
- dput(dir);
if (ret)
blk_trace_free(bt);
return ret;
next prev parent reply other threads:[~2020-06-10 6:43 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 17:01 [PATCH v6 0/8] block: fix blktrace debugfs use after free Luis Chamberlain
2020-06-08 17:01 ` [PATCH v6 1/6] block: add docs for gendisk / request_queue refcount helpers Luis Chamberlain
2020-06-08 17:01 ` [PATCH v6 2/6] block: clarify context for refcount increment helpers Luis Chamberlain
2020-06-08 17:01 ` [PATCH v6 3/6] block: revert back to synchronous request_queue removal Luis Chamberlain
2020-06-13 1:53 ` Bart Van Assche
2020-06-19 20:23 ` Luis Chamberlain
2020-06-08 17:01 ` [PATCH v6 4/6] blktrace: annotate required lock on do_blk_trace_setup() Luis Chamberlain
2020-06-09 14:18 ` Christoph Hellwig
2020-06-13 1:54 ` Bart Van Assche
2020-06-08 17:01 ` [PATCH v6 5/6] loop: be paranoid on exit and prevent new additions / removals Luis Chamberlain
2020-06-08 17:01 ` [PATCH v6 6/6] blktrace: fix debugfs use after free Luis Chamberlain
2020-06-09 15:06 ` Christoph Hellwig
2020-06-09 17:29 ` Luis Chamberlain
2020-06-09 17:32 ` Christoph Hellwig
2020-06-09 17:53 ` Luis Chamberlain
2020-06-10 6:42 ` Christoph Hellwig [this message]
2020-06-10 21:09 ` Luis Chamberlain
2020-06-10 21:52 ` Luis Chamberlain
2020-06-10 23:31 ` Luis Chamberlain
2020-06-11 5:40 ` Christoph Hellwig
2020-06-13 2:42 ` Bart Van Assche
2020-06-19 15:36 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200610064234.GB24975@infradead.org \
--to=hch@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=gregkh@linuxfoundation.org \
--cc=hare@suse.com \
--cc=jack@suse.cz \
--cc=jejb@linux.ibm.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=martin.petersen@oracle.com \
--cc=mcgrof@kernel.org \
--cc=mhocko@kernel.org \
--cc=mhocko@suse.com \
--cc=ming.lei@redhat.com \
--cc=mingo@redhat.com \
--cc=nstange@suse.de \
--cc=osandov@fb.com \
--cc=rostedt@goodmis.org \
--cc=syzbot+603294af2d01acfdd6da@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).