Re: [PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile()

From: Greg Kroah-Hartman
Date: Sun Apr 04 2021 - 06:14:26 EST

Next message: Matthew Wilcox: "Something is leaking RCU holds from interrupt context"
Previous message: Greg KH: "Re: [PATCH next 2/2] misc: Add Renesas Synchronization Management Unit (SMU) support"
In reply to: Samuel Holland: "[PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile()"
Next in thread: Samuel Holland: "Re: [PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Apr 03, 2021 at 07:45:04PM -0500, Samuel Holland wrote:
> This function uses devres to clean up its allocation, but it never removes the
> file referencing that allocation. This causes a use-after-free and an oops if
> the file is accessed after the owning device is removed.

What in-kernel user of this is having this problem?

The driver should clean up the debugfs file, it is not the debugfs
core's job to auto-remove the file.

The resource is what is being cleaned up by the devm usage in debugfs,
that's all, not the file.

Please fix up the driver that is creating the file but then not removing
it.

thanks,

greg k-h

Next message: Matthew Wilcox: "Something is leaking RCU holds from interrupt context"
Previous message: Greg KH: "Re: [PATCH next 2/2] misc: Add Renesas Synchronization Management Unit (SMU) support"
In reply to: Samuel Holland: "[PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile()"
Next in thread: Samuel Holland: "Re: [PATCH] debugfs: Fix use-after-free in debugfs_create_devm_seqfile()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]