2005-04-17 02:20:36 +04:00
/*
* file . c - part of debugfs , a tiny little debug file system
*
* Copyright ( C ) 2004 Greg Kroah - Hartman < greg @ kroah . com >
* Copyright ( C ) 2004 IBM Inc .
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License version
* 2 as published by the Free Software Foundation .
*
* debugfs is for people to use instead of / proc or / sys .
2008-04-25 16:52:51 +04:00
* See Documentation / DocBook / filesystems for more details .
2005-04-17 02:20:36 +04:00
*
*/
# include <linux/module.h>
# include <linux/fs.h>
2011-11-18 17:50:21 +04:00
# include <linux/seq_file.h>
2005-04-17 02:20:36 +04:00
# include <linux/pagemap.h>
# include <linux/debugfs.h>
2011-11-21 13:01:40 +04:00
# include <linux/io.h>
2012-03-23 12:06:28 +04:00
# include <linux/slab.h>
2013-06-04 00:33:02 +04:00
# include <linux/atomic.h>
2014-11-09 13:31:58 +03:00
# include <linux/device.h>
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
# include <linux/srcu.h>
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
# include <asm/poll.h>
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
# include "internal.h"
2005-04-17 02:20:36 +04:00
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
struct poll_table_struct ;
2005-04-17 02:20:36 +04:00
static ssize_t default_read_file ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
return 0 ;
}
static ssize_t default_write_file ( struct file * file , const char __user * buf ,
size_t count , loff_t * ppos )
{
return count ;
}
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
const struct file_operations debugfs_noop_file_operations = {
2005-04-17 02:20:36 +04:00
. read = default_read_file ,
. write = default_write_file ,
2012-04-06 01:25:11 +04:00
. open = simple_open ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = noop_llseek ,
2005-04-17 02:20:36 +04:00
} ;
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
/**
* debugfs_use_file_start - mark the beginning of file data access
* @ dentry : the dentry object whose data is being accessed .
* @ srcu_idx : a pointer to some memory to store a SRCU index in .
*
* Up to a matching call to debugfs_use_file_finish ( ) , any
* successive call into the file removing functions debugfs_remove ( )
* and debugfs_remove_recursive ( ) will block . Since associated private
* file data may only get freed after a successful return of any of
* the removal functions , you may safely access it after a successful
* call to debugfs_use_file_start ( ) without worrying about
* lifetime issues .
*
* If - % EIO is returned , the file has already been removed and thus ,
* it is not safe to access any of its data . If , on the other hand ,
* it is allowed to access the file data , zero is returned .
*
* Regardless of the return code , any call to
* debugfs_use_file_start ( ) must be followed by a matching call
* to debugfs_use_file_finish ( ) .
*/
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
int debugfs_use_file_start ( const struct dentry * dentry , int * srcu_idx )
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
__acquires ( & debugfs_srcu )
{
* srcu_idx = srcu_read_lock ( & debugfs_srcu ) ;
barrier ( ) ;
if ( d_unlinked ( dentry ) )
return - EIO ;
return 0 ;
}
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
EXPORT_SYMBOL_GPL ( debugfs_use_file_start ) ;
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
/**
* debugfs_use_file_finish - mark the end of file data access
* @ srcu_idx : the SRCU index " created " by a former call to
* debugfs_use_file_start ( ) .
*
* Allow any ongoing concurrent call into debugfs_remove ( ) or
* debugfs_remove_recursive ( ) blocked by a former call to
* debugfs_use_file_start ( ) to proceed and return to its caller .
*/
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
void debugfs_use_file_finish ( int srcu_idx ) __releases ( & debugfs_srcu )
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
{
srcu_read_unlock ( & debugfs_srcu , srcu_idx ) ;
}
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
EXPORT_SYMBOL_GPL ( debugfs_use_file_finish ) ;
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
# define F_DENTRY(filp) ((filp)->f_path.dentry)
static int open_proxy_open ( struct inode * inode , struct file * filp )
{
const struct dentry * dentry = F_DENTRY ( filp ) ;
const struct file_operations * real_fops = NULL ;
int srcu_idx , r ;
r = debugfs_use_file_start ( dentry , & srcu_idx ) ;
if ( r ) {
r = - ENOENT ;
goto out ;
}
2016-09-17 22:43:01 +03:00
real_fops = debugfs_real_fops ( filp ) ;
debugfs: prevent access to possibly dead file_operations at file open
Nothing prevents a dentry found by path lookup before a return of
__debugfs_remove() to actually get opened after that return. Now, after
the return of __debugfs_remove(), there are no guarantees whatsoever
regarding the memory the corresponding inode's file_operations object
had been kept in.
Since __debugfs_remove() is seldomly invoked, usually from module exit
handlers only, the race is hard to trigger and the impact is very low.
A discussion of the problem outlined above as well as a suggested
solution can be found in the (sub-)thread rooted at
http://lkml.kernel.org/g/20130401203445.GA20862@ZenIV.linux.org.uk
("Yet another pipe related oops.")
Basically, Greg KH suggests to introduce an intermediate fops and
Al Viro points out that a pointer to the original ones may be stored in
->d_fsdata.
Follow this line of reasoning:
- Add SRCU as a reverse dependency of DEBUG_FS.
- Introduce a srcu_struct object for the debugfs subsystem.
- In debugfs_create_file(), store a pointer to the original
file_operations object in ->d_fsdata.
- Make debugfs_remove() and debugfs_remove_recursive() wait for a
SRCU grace period after the dentry has been delete()'d and before they
return to their callers.
- Introduce an intermediate file_operations object named
"debugfs_open_proxy_file_operations". It's ->open() functions checks,
under the protection of a SRCU read lock, whether the dentry is still
alive, i.e. has not been d_delete()'d and if so, tries to acquire a
reference on the owning module.
On success, it sets the file object's ->f_op to the original
file_operations and forwards the ongoing open() call to the original
->open().
- For clarity, rename the former debugfs_file_operations to
debugfs_noop_file_operations -- they are in no way canonical.
The choice of SRCU over "normal" RCU is justified by the fact, that the
former may also be used to protect ->i_private data from going away
during the execution of a file's readers and writers which may (and do)
sleep.
Finally, introduce the fs/debugfs/internal.h header containing some
declarations internal to the debugfs implementation.
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:13 +03:00
real_fops = fops_get ( real_fops ) ;
if ( ! real_fops ) {
/* Huh? Module did not clean up after itself at exit? */
WARN ( 1 , " debugfs file owner did not clean up at exit: %pd " ,
dentry ) ;
r = - ENXIO ;
goto out ;
}
replace_fops ( filp , real_fops ) ;
if ( real_fops - > open )
r = real_fops - > open ( inode , filp ) ;
out :
debugfs_use_file_finish ( srcu_idx ) ;
return r ;
}
const struct file_operations debugfs_open_proxy_file_operations = {
. open = open_proxy_open ,
} ;
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
# define PROTO(args...) args
# define ARGS(args...) args
# define FULL_PROXY_FUNC(name, ret_type, filp, proto, args) \
static ret_type full_proxy_ # # name ( proto ) \
{ \
const struct dentry * dentry = F_DENTRY ( filp ) ; \
const struct file_operations * real_fops = \
2016-09-17 22:43:01 +03:00
debugfs_real_fops ( filp ) ; \
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
int srcu_idx ; \
ret_type r ; \
\
r = debugfs_use_file_start ( dentry , & srcu_idx ) ; \
if ( likely ( ! r ) ) \
r = real_fops - > name ( args ) ; \
debugfs_use_file_finish ( srcu_idx ) ; \
return r ; \
}
FULL_PROXY_FUNC ( llseek , loff_t , filp ,
PROTO ( struct file * filp , loff_t offset , int whence ) ,
ARGS ( filp , offset , whence ) ) ;
FULL_PROXY_FUNC ( read , ssize_t , filp ,
PROTO ( struct file * filp , char __user * buf , size_t size ,
loff_t * ppos ) ,
ARGS ( filp , buf , size , ppos ) ) ;
FULL_PROXY_FUNC ( write , ssize_t , filp ,
PROTO ( struct file * filp , const char __user * buf , size_t size ,
loff_t * ppos ) ,
ARGS ( filp , buf , size , ppos ) ) ;
FULL_PROXY_FUNC ( unlocked_ioctl , long , filp ,
PROTO ( struct file * filp , unsigned int cmd , unsigned long arg ) ,
ARGS ( filp , cmd , arg ) ) ;
static unsigned int full_proxy_poll ( struct file * filp ,
struct poll_table_struct * wait )
{
const struct dentry * dentry = F_DENTRY ( filp ) ;
2016-09-17 22:43:01 +03:00
const struct file_operations * real_fops = debugfs_real_fops ( filp ) ;
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
int srcu_idx ;
unsigned int r = 0 ;
if ( debugfs_use_file_start ( dentry , & srcu_idx ) ) {
debugfs_use_file_finish ( srcu_idx ) ;
return POLLHUP ;
}
r = real_fops - > poll ( filp , wait ) ;
debugfs_use_file_finish ( srcu_idx ) ;
return r ;
}
static int full_proxy_release ( struct inode * inode , struct file * filp )
{
const struct dentry * dentry = F_DENTRY ( filp ) ;
2016-09-17 22:43:01 +03:00
const struct file_operations * real_fops = debugfs_real_fops ( filp ) ;
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
const struct file_operations * proxy_fops = filp - > f_op ;
int r = 0 ;
/*
* We must not protect this against removal races here : the
* original releaser should be called unconditionally in order
* not to leak any resources . Releasers must not assume that
* - > i_private is still being meaningful here .
*/
if ( real_fops - > release )
r = real_fops - > release ( inode , filp ) ;
replace_fops ( filp , d_inode ( dentry ) - > i_fop ) ;
kfree ( ( void * ) proxy_fops ) ;
fops_put ( real_fops ) ;
2016-09-21 12:27:36 +03:00
return r ;
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
}
static void __full_proxy_fops_init ( struct file_operations * proxy_fops ,
const struct file_operations * real_fops )
{
proxy_fops - > release = full_proxy_release ;
if ( real_fops - > llseek )
proxy_fops - > llseek = full_proxy_llseek ;
if ( real_fops - > read )
proxy_fops - > read = full_proxy_read ;
if ( real_fops - > write )
proxy_fops - > write = full_proxy_write ;
if ( real_fops - > poll )
proxy_fops - > poll = full_proxy_poll ;
if ( real_fops - > unlocked_ioctl )
proxy_fops - > unlocked_ioctl = full_proxy_unlocked_ioctl ;
}
static int full_proxy_open ( struct inode * inode , struct file * filp )
{
const struct dentry * dentry = F_DENTRY ( filp ) ;
const struct file_operations * real_fops = NULL ;
struct file_operations * proxy_fops = NULL ;
int srcu_idx , r ;
r = debugfs_use_file_start ( dentry , & srcu_idx ) ;
if ( r ) {
r = - ENOENT ;
goto out ;
}
2016-09-17 22:43:01 +03:00
real_fops = debugfs_real_fops ( filp ) ;
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
real_fops = fops_get ( real_fops ) ;
if ( ! real_fops ) {
/* Huh? Module did not cleanup after itself at exit? */
WARN ( 1 , " debugfs file owner did not clean up at exit: %pd " ,
dentry ) ;
r = - ENXIO ;
goto out ;
}
proxy_fops = kzalloc ( sizeof ( * proxy_fops ) , GFP_KERNEL ) ;
if ( ! proxy_fops ) {
r = - ENOMEM ;
goto free_proxy ;
}
__full_proxy_fops_init ( proxy_fops , real_fops ) ;
replace_fops ( filp , proxy_fops ) ;
if ( real_fops - > open ) {
r = real_fops - > open ( inode , filp ) ;
2016-05-24 14:08:53 +03:00
if ( r ) {
replace_fops ( filp , d_inode ( dentry ) - > i_fop ) ;
goto free_proxy ;
} else if ( filp - > f_op ! = proxy_fops ) {
debugfs: prevent access to removed files' private data
Upon return of debugfs_remove()/debugfs_remove_recursive(), it might
still be attempted to access associated private file data through
previously opened struct file objects. If that data has been freed by
the caller of debugfs_remove*() in the meanwhile, the reading/writing
process would either encounter a fault or, if the memory address in
question has been reassigned again, unrelated data structures could get
overwritten.
However, since debugfs files are seldomly removed, usually from module
exit handlers only, the impact is very low.
Currently, there are ~1000 call sites of debugfs_create_file() spread
throughout the whole tree and touching all of those struct file_operations
in order to make them file removal aware by means of checking the result of
debugfs_use_file_start() from within their methods is unfeasible.
Instead, wrap the struct file_operations by a lifetime managing proxy at
file open:
- In debugfs_create_file(), the original fops handed in has got stashed
away in ->d_fsdata already.
- In debugfs_create_file(), install a proxy file_operations factory,
debugfs_full_proxy_file_operations, at ->i_fop.
This proxy factory has got an ->open() method only. It carries out some
lifetime checks and if successful, dynamically allocates and sets up a new
struct file_operations proxy at ->f_op. Afterwards, it forwards to the
->open() of the original struct file_operations in ->d_fsdata, if any.
The dynamically set up proxy at ->f_op has got a lifetime managing wrapper
set for each of the methods defined in the original struct file_operations
in ->d_fsdata.
Its ->release()er frees the proxy again and forwards to the original
->release(), if any.
In order not to mislead the VFS layer, it is strictly necessary to leave
those fields blank in the proxy that have been NULL in the original
struct file_operations also, i.e. aren't supported. This is why there is a
need for dynamically allocated proxies. The choice made not to allocate a
proxy instance for every dentry at file creation, but for every
struct file object instantiated thereof is justified by the expected usage
pattern of debugfs, namely that in general very few files get opened more
than once at a time.
The wrapper methods set in the struct file_operations implement lifetime
managing by means of the SRCU protection facilities already in place for
debugfs:
They set up a SRCU read side critical section and check whether the dentry
is still alive by means of debugfs_use_file_start(). If so, they forward
the call to the original struct file_operation stored in ->d_fsdata, still
under the protection of the SRCU read side critical section.
This SRCU read side critical section prevents any pending debugfs_remove()
and friends to return to their callers. Since a file's private data must
only be freed after the return of debugfs_remove(), the ongoing proxied
call is guarded against any file removal race.
If, on the other hand, the initial call to debugfs_use_file_start() detects
that the dentry is dead, the wrapper simply returns -EIO and does not
forward the call. Note that the ->poll() wrapper is special in that its
signature does not allow for the return of arbitrary -EXXX values and thus,
POLLHUP is returned here.
In order not to pollute debugfs with wrapper definitions that aren't ever
needed, I chose not to define a wrapper for every struct file_operations
method possible. Instead, a wrapper is defined only for the subset of
methods which are actually set by any debugfs users.
Currently, these are:
->llseek()
->read()
->write()
->unlocked_ioctl()
->poll()
The ->release() wrapper is special in that it does not protect the original
->release() in any way from dead files in order not to leak resources.
Thus, any ->release() handed to debugfs must implement file lifetime
management manually, if needed.
For only 33 out of a total of 434 releasers handed in to debugfs, it could
not be verified immediately whether they access data structures that might
have been freed upon a debugfs_remove() return in the meanwhile.
Export debugfs_use_file_start() and debugfs_use_file_finish() in order to
allow any ->release() to manually implement file lifetime management.
For a set of common cases of struct file_operations implemented by the
debugfs_core itself, future patches will incorporate file lifetime
management directly within those in order to allow for their unproxied
operation. Rename the original, non-proxying "debugfs_create_file()" to
"debugfs_create_file_unsafe()" and keep it for future internal use by
debugfs itself. Factor out code common to both into the new
__debugfs_create_file().
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-22 16:11:14 +03:00
/* No protection against file removal anymore. */
WARN ( 1 , " debugfs file owner replaced proxy fops: %pd " ,
dentry ) ;
goto free_proxy ;
}
}
goto out ;
free_proxy :
kfree ( proxy_fops ) ;
fops_put ( real_fops ) ;
out :
debugfs_use_file_finish ( srcu_idx ) ;
return r ;
}
const struct file_operations debugfs_full_proxy_file_operations = {
. open = full_proxy_open ,
} ;
2016-03-22 16:11:15 +03:00
ssize_t debugfs_attr_read ( struct file * file , char __user * buf ,
size_t len , loff_t * ppos )
{
ssize_t ret ;
int srcu_idx ;
ret = debugfs_use_file_start ( F_DENTRY ( file ) , & srcu_idx ) ;
if ( likely ( ! ret ) )
ret = simple_attr_read ( file , buf , len , ppos ) ;
debugfs_use_file_finish ( srcu_idx ) ;
return ret ;
}
EXPORT_SYMBOL_GPL ( debugfs_attr_read ) ;
ssize_t debugfs_attr_write ( struct file * file , const char __user * buf ,
size_t len , loff_t * ppos )
{
ssize_t ret ;
int srcu_idx ;
ret = debugfs_use_file_start ( F_DENTRY ( file ) , & srcu_idx ) ;
if ( likely ( ! ret ) )
ret = simple_attr_write ( file , buf , len , ppos ) ;
debugfs_use_file_finish ( srcu_idx ) ;
return ret ;
}
EXPORT_SYMBOL_GPL ( debugfs_attr_write ) ;
2016-03-22 16:11:17 +03:00
static struct dentry * debugfs_create_mode_unsafe ( const char * name , umode_t mode ,
struct dentry * parent , void * value ,
const struct file_operations * fops ,
const struct file_operations * fops_ro ,
const struct file_operations * fops_wo )
{
/* if there are no write bits set, make read only */
if ( ! ( mode & S_IWUGO ) )
return debugfs_create_file_unsafe ( name , mode , parent , value ,
fops_ro ) ;
/* if there are no read bits set, make write only */
if ( ! ( mode & S_IRUGO ) )
return debugfs_create_file_unsafe ( name , mode , parent , value ,
fops_wo ) ;
return debugfs_create_file_unsafe ( name , mode , parent , value , fops ) ;
}
2008-02-08 15:20:26 +03:00
static int debugfs_u8_set ( void * data , u64 val )
2005-05-18 16:40:59 +04:00
{
* ( u8 * ) data = val ;
2008-02-08 15:20:26 +03:00
return 0 ;
2005-05-18 16:40:59 +04:00
}
2008-02-08 15:20:26 +03:00
static int debugfs_u8_get ( void * data , u64 * val )
2005-05-18 16:40:59 +04:00
{
2008-02-08 15:20:26 +03:00
* val = * ( u8 * ) data ;
return 0 ;
2005-05-18 16:40:59 +04:00
}
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u8 , debugfs_u8_get , debugfs_u8_set , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u8_ro , debugfs_u8_get , NULL , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u8_wo , NULL , debugfs_u8_set , " %llu \n " ) ;
2005-04-17 02:20:36 +04:00
/**
2006-07-20 19:16:42 +04:00
* debugfs_create_u8 - create a debugfs file that is used to read and write an unsigned 8 - bit value
2005-04-17 02:20:36 +04:00
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
2006-07-20 19:16:42 +04:00
* directory dentry if set . If this parameter is % NULL , then the
2005-04-17 02:20:36 +04:00
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @ value . If the @ mode variable is so
* set , it can be read from , and written to .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
2006-07-20 19:16:42 +04:00
* you are responsible here . ) If an error occurs , % NULL will be returned .
2005-04-17 02:20:36 +04:00
*
2006-07-20 19:16:42 +04:00
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
2005-04-17 02:20:36 +04:00
* returned . It is not wise to check for this value , but rather , check for
2006-07-20 19:16:42 +04:00
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
2005-04-17 02:20:36 +04:00
* code .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_u8 ( const char * name , umode_t mode ,
2005-04-17 02:20:36 +04:00
struct dentry * parent , u8 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_u8 ,
2015-10-13 04:09:09 +03:00
& fops_u8_ro , & fops_u8_wo ) ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_u8 ) ;
2008-02-08 15:20:26 +03:00
static int debugfs_u16_set ( void * data , u64 val )
2005-05-18 16:40:59 +04:00
{
* ( u16 * ) data = val ;
2008-02-08 15:20:26 +03:00
return 0 ;
2005-05-18 16:40:59 +04:00
}
2008-02-08 15:20:26 +03:00
static int debugfs_u16_get ( void * data , u64 * val )
2005-05-18 16:40:59 +04:00
{
2008-02-08 15:20:26 +03:00
* val = * ( u16 * ) data ;
return 0 ;
2005-05-18 16:40:59 +04:00
}
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u16 , debugfs_u16_get , debugfs_u16_set , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u16_ro , debugfs_u16_get , NULL , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u16_wo , NULL , debugfs_u16_set , " %llu \n " ) ;
2005-05-18 16:40:59 +04:00
2005-04-17 02:20:36 +04:00
/**
2006-07-20 19:16:42 +04:00
* debugfs_create_u16 - create a debugfs file that is used to read and write an unsigned 16 - bit value
2005-04-17 02:20:36 +04:00
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
2006-07-20 19:16:42 +04:00
* directory dentry if set . If this parameter is % NULL , then the
2005-04-17 02:20:36 +04:00
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @ value . If the @ mode variable is so
* set , it can be read from , and written to .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
2006-07-20 19:16:42 +04:00
* you are responsible here . ) If an error occurs , % NULL will be returned .
2005-04-17 02:20:36 +04:00
*
2006-07-20 19:16:42 +04:00
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
2005-04-17 02:20:36 +04:00
* returned . It is not wise to check for this value , but rather , check for
2006-07-20 19:16:42 +04:00
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
2005-04-17 02:20:36 +04:00
* code .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_u16 ( const char * name , umode_t mode ,
2005-04-17 02:20:36 +04:00
struct dentry * parent , u16 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_u16 ,
2015-10-13 04:09:09 +03:00
& fops_u16_ro , & fops_u16_wo ) ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_u16 ) ;
2008-02-08 15:20:26 +03:00
static int debugfs_u32_set ( void * data , u64 val )
2005-05-18 16:40:59 +04:00
{
* ( u32 * ) data = val ;
2008-02-08 15:20:26 +03:00
return 0 ;
2005-05-18 16:40:59 +04:00
}
2008-02-08 15:20:26 +03:00
static int debugfs_u32_get ( void * data , u64 * val )
2005-05-18 16:40:59 +04:00
{
2008-02-08 15:20:26 +03:00
* val = * ( u32 * ) data ;
return 0 ;
2005-05-18 16:40:59 +04:00
}
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u32 , debugfs_u32_get , debugfs_u32_set , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u32_ro , debugfs_u32_get , NULL , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u32_wo , NULL , debugfs_u32_set , " %llu \n " ) ;
2005-05-18 16:40:59 +04:00
2005-04-17 02:20:36 +04:00
/**
2006-07-20 19:16:42 +04:00
* debugfs_create_u32 - create a debugfs file that is used to read and write an unsigned 32 - bit value
2005-04-17 02:20:36 +04:00
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
2006-07-20 19:16:42 +04:00
* directory dentry if set . If this parameter is % NULL , then the
2005-04-17 02:20:36 +04:00
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @ value . If the @ mode variable is so
* set , it can be read from , and written to .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
2006-07-20 19:16:42 +04:00
* you are responsible here . ) If an error occurs , % NULL will be returned .
2005-04-17 02:20:36 +04:00
*
2006-07-20 19:16:42 +04:00
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
2005-04-17 02:20:36 +04:00
* returned . It is not wise to check for this value , but rather , check for
2006-07-20 19:16:42 +04:00
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
2005-04-17 02:20:36 +04:00
* code .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_u32 ( const char * name , umode_t mode ,
2005-04-17 02:20:36 +04:00
struct dentry * parent , u32 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_u32 ,
2015-10-13 04:09:09 +03:00
& fops_u32_ro , & fops_u32_wo ) ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_u32 ) ;
2008-02-08 15:20:26 +03:00
static int debugfs_u64_set ( void * data , u64 val )
2007-04-17 09:59:36 +04:00
{
* ( u64 * ) data = val ;
2008-02-08 15:20:26 +03:00
return 0 ;
2007-04-17 09:59:36 +04:00
}
2008-02-08 15:20:26 +03:00
static int debugfs_u64_get ( void * data , u64 * val )
2007-04-17 09:59:36 +04:00
{
2008-02-08 15:20:26 +03:00
* val = * ( u64 * ) data ;
return 0 ;
2007-04-17 09:59:36 +04:00
}
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u64 , debugfs_u64_get , debugfs_u64_set , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u64_ro , debugfs_u64_get , NULL , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_u64_wo , NULL , debugfs_u64_set , " %llu \n " ) ;
2007-04-17 09:59:36 +04:00
/**
* debugfs_create_u64 - create a debugfs file that is used to read and write an unsigned 64 - bit value
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @ value . If the @ mode variable is so
* set , it can be read from , and written to .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
* you are responsible here . ) If an error occurs , % NULL will be returned .
*
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
* returned . It is not wise to check for this value , but rather , check for
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
* code .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_u64 ( const char * name , umode_t mode ,
2007-04-17 09:59:36 +04:00
struct dentry * parent , u64 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_u64 ,
2015-10-13 04:09:09 +03:00
& fops_u64_ro , & fops_u64_wo ) ;
2007-04-17 09:59:36 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_u64 ) ;
2015-10-18 20:13:19 +03:00
static int debugfs_ulong_set ( void * data , u64 val )
{
* ( unsigned long * ) data = val ;
return 0 ;
}
static int debugfs_ulong_get ( void * data , u64 * val )
{
* val = * ( unsigned long * ) data ;
return 0 ;
}
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_ulong , debugfs_ulong_get , debugfs_ulong_set ,
" %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_ulong_ro , debugfs_ulong_get , NULL , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_ulong_wo , NULL , debugfs_ulong_set , " %llu \n " ) ;
2015-10-18 20:13:19 +03:00
/**
* debugfs_create_ulong - create a debugfs file that is used to read and write
* an unsigned long value .
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @ value . If the @ mode variable is so
* set , it can be read from , and written to .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
* you are responsible here . ) If an error occurs , % NULL will be returned .
*
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
* returned . It is not wise to check for this value , but rather , check for
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
* code .
*/
struct dentry * debugfs_create_ulong ( const char * name , umode_t mode ,
struct dentry * parent , unsigned long * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value ,
& fops_ulong , & fops_ulong_ro ,
& fops_ulong_wo ) ;
2015-10-18 20:13:19 +03:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_ulong ) ;
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x8 , debugfs_u8_get , debugfs_u8_set , " 0x%02llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x8_ro , debugfs_u8_get , NULL , " 0x%02llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x8_wo , NULL , debugfs_u8_set , " 0x%02llx \n " ) ;
2007-08-03 02:23:50 +04:00
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x16 , debugfs_u16_get , debugfs_u16_set ,
" 0x%04llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x16_ro , debugfs_u16_get , NULL , " 0x%04llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x16_wo , NULL , debugfs_u16_set , " 0x%04llx \n " ) ;
2007-08-03 02:23:50 +04:00
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x32 , debugfs_u32_get , debugfs_u32_set ,
" 0x%08llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x32_ro , debugfs_u32_get , NULL , " 0x%08llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x32_wo , NULL , debugfs_u32_set , " 0x%08llx \n " ) ;
2007-08-03 02:23:50 +04:00
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x64 , debugfs_u64_get , debugfs_u64_set ,
" 0x%016llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x64_ro , debugfs_u64_get , NULL , " 0x%016llx \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_x64_wo , NULL , debugfs_u64_set , " 0x%016llx \n " ) ;
2010-05-18 10:35:23 +04:00
2007-10-16 04:30:19 +04:00
/*
2010-05-18 10:35:23 +04:00
* debugfs_create_x { 8 , 16 , 32 , 64 } - create a debugfs file that is used to read and write an unsigned { 8 , 16 , 32 , 64 } - bit value
2007-08-03 02:23:50 +04:00
*
2007-10-16 04:30:19 +04:00
* These functions are exactly the same as the above functions ( but use a hex
* output for the decimal challenged ) . For details look at the above unsigned
2007-08-03 02:23:50 +04:00
* decimal functions .
*/
2007-10-16 04:30:19 +04:00
/**
* debugfs_create_x8 - create a debugfs file that is used to read and write an unsigned 8 - bit value
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_x8 ( const char * name , umode_t mode ,
2007-08-03 02:23:50 +04:00
struct dentry * parent , u8 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_x8 ,
2015-10-13 04:09:09 +03:00
& fops_x8_ro , & fops_x8_wo ) ;
2007-08-03 02:23:50 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_x8 ) ;
2007-10-16 04:30:19 +04:00
/**
* debugfs_create_x16 - create a debugfs file that is used to read and write an unsigned 16 - bit value
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_x16 ( const char * name , umode_t mode ,
2007-08-03 02:23:50 +04:00
struct dentry * parent , u16 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_x16 ,
2015-10-13 04:09:09 +03:00
& fops_x16_ro , & fops_x16_wo ) ;
2007-08-03 02:23:50 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_x16 ) ;
2007-10-16 04:30:19 +04:00
/**
* debugfs_create_x32 - create a debugfs file that is used to read and write an unsigned 32 - bit value
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_x32 ( const char * name , umode_t mode ,
2007-08-03 02:23:50 +04:00
struct dentry * parent , u32 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_x32 ,
2015-10-13 04:09:09 +03:00
& fops_x32_ro , & fops_x32_wo ) ;
2007-08-03 02:23:50 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_x32 ) ;
2010-05-18 10:35:23 +04:00
/**
* debugfs_create_x64 - create a debugfs file that is used to read and write an unsigned 64 - bit value
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_x64 ( const char * name , umode_t mode ,
2010-05-18 10:35:23 +04:00
struct dentry * parent , u64 * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_x64 ,
2015-10-13 04:09:10 +03:00
& fops_x64_ro , & fops_x64_wo ) ;
2010-05-18 10:35:23 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_x64 ) ;
2008-12-21 03:57:39 +03:00
static int debugfs_size_t_set ( void * data , u64 val )
{
* ( size_t * ) data = val ;
return 0 ;
}
static int debugfs_size_t_get ( void * data , u64 * val )
{
* val = * ( size_t * ) data ;
return 0 ;
}
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_size_t , debugfs_size_t_get , debugfs_size_t_set ,
" %llu \n " ) ; /* %llu and %zu are more or less the same */
DEFINE_DEBUGFS_ATTRIBUTE ( fops_size_t_ro , debugfs_size_t_get , NULL , " %llu \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_size_t_wo , NULL , debugfs_size_t_set , " %llu \n " ) ;
2008-12-21 03:57:39 +03:00
/**
* debugfs_create_size_t - create a debugfs file that is used to read and write an size_t value
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_size_t ( const char * name , umode_t mode ,
2008-12-21 03:57:39 +03:00
struct dentry * parent , size_t * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value ,
& fops_size_t , & fops_size_t_ro ,
& fops_size_t_wo ) ;
2008-12-21 03:57:39 +03:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_size_t ) ;
2013-06-04 00:33:02 +04:00
static int debugfs_atomic_t_set ( void * data , u64 val )
{
atomic_set ( ( atomic_t * ) data , val ) ;
return 0 ;
}
static int debugfs_atomic_t_get ( void * data , u64 * val )
{
* val = atomic_read ( ( atomic_t * ) data ) ;
return 0 ;
}
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_atomic_t , debugfs_atomic_t_get ,
2013-06-04 00:33:02 +04:00
debugfs_atomic_t_set , " %lld \n " ) ;
2016-03-22 16:11:17 +03:00
DEFINE_DEBUGFS_ATTRIBUTE ( fops_atomic_t_ro , debugfs_atomic_t_get , NULL ,
" %lld \n " ) ;
DEFINE_DEBUGFS_ATTRIBUTE ( fops_atomic_t_wo , NULL , debugfs_atomic_t_set ,
" %lld \n " ) ;
2013-06-04 00:33:02 +04:00
/**
* debugfs_create_atomic_t - create a debugfs file that is used to read and
* write an atomic_t value
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*/
struct dentry * debugfs_create_atomic_t ( const char * name , umode_t mode ,
struct dentry * parent , atomic_t * value )
{
2016-03-22 16:11:17 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value ,
& fops_atomic_t , & fops_atomic_t_ro ,
& fops_atomic_t_wo ) ;
2013-06-04 00:33:02 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_atomic_t ) ;
2008-12-21 03:57:39 +03:00
2015-06-23 16:32:54 +03:00
ssize_t debugfs_read_file_bool ( struct file * file , char __user * user_buf ,
size_t count , loff_t * ppos )
2005-04-17 02:20:36 +04:00
{
char buf [ 3 ] ;
2016-03-22 16:11:18 +03:00
bool val ;
int r , srcu_idx ;
r = debugfs_use_file_start ( F_DENTRY ( file ) , & srcu_idx ) ;
if ( likely ( ! r ) )
val = * ( bool * ) file - > private_data ;
debugfs_use_file_finish ( srcu_idx ) ;
if ( r )
return r ;
2014-06-06 21:42:04 +04:00
2016-03-22 16:11:18 +03:00
if ( val )
2005-04-17 02:20:36 +04:00
buf [ 0 ] = ' Y ' ;
else
buf [ 0 ] = ' N ' ;
buf [ 1 ] = ' \n ' ;
buf [ 2 ] = 0x00 ;
return simple_read_from_buffer ( user_buf , count , ppos , buf , 2 ) ;
}
2015-06-23 16:32:54 +03:00
EXPORT_SYMBOL_GPL ( debugfs_read_file_bool ) ;
2005-04-17 02:20:36 +04:00
2015-06-23 16:32:54 +03:00
ssize_t debugfs_write_file_bool ( struct file * file , const char __user * user_buf ,
size_t count , loff_t * ppos )
2005-04-17 02:20:36 +04:00
{
char buf [ 32 ] ;
2011-05-13 03:50:07 +04:00
size_t buf_size ;
2011-04-19 15:43:46 +04:00
bool bv ;
2016-03-22 16:11:18 +03:00
int r , srcu_idx ;
2015-09-27 01:04:07 +03:00
bool * val = file - > private_data ;
2005-04-17 02:20:36 +04:00
buf_size = min ( count , ( sizeof ( buf ) - 1 ) ) ;
if ( copy_from_user ( buf , user_buf , buf_size ) )
return - EFAULT ;
2013-06-01 01:24:29 +04:00
buf [ buf_size ] = ' \0 ' ;
2016-03-22 16:11:18 +03:00
if ( strtobool ( buf , & bv ) = = 0 ) {
r = debugfs_use_file_start ( F_DENTRY ( file ) , & srcu_idx ) ;
if ( likely ( ! r ) )
* val = bv ;
debugfs_use_file_finish ( srcu_idx ) ;
if ( r )
return r ;
}
2011-04-19 15:43:46 +04:00
2005-04-17 02:20:36 +04:00
return count ;
}
2015-06-23 16:32:54 +03:00
EXPORT_SYMBOL_GPL ( debugfs_write_file_bool ) ;
2005-04-17 02:20:36 +04:00
2006-03-28 13:56:42 +04:00
static const struct file_operations fops_bool = {
2015-06-23 16:32:54 +03:00
. read = debugfs_read_file_bool ,
. write = debugfs_write_file_bool ,
2012-04-06 01:25:11 +04:00
. open = simple_open ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2005-04-17 02:20:36 +04:00
} ;
2015-10-13 04:09:12 +03:00
static const struct file_operations fops_bool_ro = {
. read = debugfs_read_file_bool ,
. open = simple_open ,
. llseek = default_llseek ,
} ;
static const struct file_operations fops_bool_wo = {
. write = debugfs_write_file_bool ,
. open = simple_open ,
. llseek = default_llseek ,
} ;
2005-04-17 02:20:36 +04:00
/**
2006-07-20 19:16:42 +04:00
* debugfs_create_bool - create a debugfs file that is used to read and write a boolean value
2005-04-17 02:20:36 +04:00
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
2006-07-20 19:16:42 +04:00
* directory dentry if set . If this parameter is % NULL , then the
2005-04-17 02:20:36 +04:00
* file will be created in the root of the debugfs filesystem .
* @ value : a pointer to the variable that the file should read to and write
* from .
*
* This function creates a file in debugfs with the given name that
* contains the value of the variable @ value . If the @ mode variable is so
* set , it can be read from , and written to .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
2006-07-20 19:16:42 +04:00
* you are responsible here . ) If an error occurs , % NULL will be returned .
2005-04-17 02:20:36 +04:00
*
2006-07-20 19:16:42 +04:00
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
2005-04-17 02:20:36 +04:00
* returned . It is not wise to check for this value , but rather , check for
2006-07-20 19:16:42 +04:00
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
2005-04-17 02:20:36 +04:00
* code .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_bool ( const char * name , umode_t mode ,
2015-09-27 01:04:07 +03:00
struct dentry * parent , bool * value )
2005-04-17 02:20:36 +04:00
{
2016-03-22 16:11:18 +03:00
return debugfs_create_mode_unsafe ( name , mode , parent , value , & fops_bool ,
2015-10-13 04:09:12 +03:00
& fops_bool_ro , & fops_bool_wo ) ;
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_bool ) ;
2006-03-07 13:41:59 +03:00
static ssize_t read_file_blob ( struct file * file , char __user * user_buf ,
size_t count , loff_t * ppos )
{
struct debugfs_blob_wrapper * blob = file - > private_data ;
2016-03-22 16:11:19 +03:00
ssize_t r ;
int srcu_idx ;
r = debugfs_use_file_start ( F_DENTRY ( file ) , & srcu_idx ) ;
if ( likely ( ! r ) )
r = simple_read_from_buffer ( user_buf , count , ppos , blob - > data ,
blob - > size ) ;
debugfs_use_file_finish ( srcu_idx ) ;
return r ;
2006-03-07 13:41:59 +03:00
}
2007-02-12 11:55:34 +03:00
static const struct file_operations fops_blob = {
2006-03-07 13:41:59 +03:00
. read = read_file_blob ,
2012-04-06 01:25:11 +04:00
. open = simple_open ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2006-03-07 13:41:59 +03:00
} ;
/**
2009-05-25 20:15:27 +04:00
* debugfs_create_blob - create a debugfs file that is used to read a binary blob
2006-03-07 13:41:59 +03:00
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
2006-07-20 19:16:42 +04:00
* directory dentry if set . If this parameter is % NULL , then the
2006-03-07 13:41:59 +03:00
* file will be created in the root of the debugfs filesystem .
* @ blob : a pointer to a struct debugfs_blob_wrapper which contains a pointer
* to the blob data and the size of the data .
*
* This function creates a file in debugfs with the given name that exports
* @ blob - > data as a binary blob . If the @ mode variable is so set it can be
* read from . Writing is not supported .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
2006-07-20 19:16:42 +04:00
* you are responsible here . ) If an error occurs , % NULL will be returned .
2006-03-07 13:41:59 +03:00
*
2006-07-20 19:16:42 +04:00
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
2006-03-07 13:41:59 +03:00
* returned . It is not wise to check for this value , but rather , check for
2006-07-20 19:16:42 +04:00
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
2006-03-07 13:41:59 +03:00
* code .
*/
2011-07-24 12:33:43 +04:00
struct dentry * debugfs_create_blob ( const char * name , umode_t mode ,
2006-03-07 13:41:59 +03:00
struct dentry * parent ,
struct debugfs_blob_wrapper * blob )
{
2016-03-22 16:11:19 +03:00
return debugfs_create_file_unsafe ( name , mode , parent , blob , & fops_blob ) ;
2006-03-07 13:41:59 +03:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_blob ) ;
2011-11-18 17:50:21 +04:00
2012-03-23 12:06:28 +04:00
struct array_data {
void * array ;
u32 elements ;
} ;
2012-09-21 22:48:05 +04:00
static size_t u32_format_array ( char * buf , size_t bufsize ,
u32 * array , int array_size )
2012-03-23 12:06:28 +04:00
{
size_t ret = 0 ;
2012-09-21 22:48:05 +04:00
while ( - - array_size > = 0 ) {
2012-03-23 12:06:28 +04:00
size_t len ;
2012-09-21 22:48:05 +04:00
char term = array_size ? ' ' : ' \n ' ;
2012-03-23 12:06:28 +04:00
2012-09-21 22:48:05 +04:00
len = snprintf ( buf , bufsize , " %u%c " , * array + + , term ) ;
2012-03-23 12:06:28 +04:00
ret + = len ;
2012-09-21 22:48:05 +04:00
buf + = len ;
bufsize - = len ;
2012-03-23 12:06:28 +04:00
}
return ret ;
}
2012-09-21 13:16:29 +04:00
static int u32_array_open ( struct inode * inode , struct file * file )
2012-03-23 12:06:28 +04:00
{
struct array_data * data = inode - > i_private ;
2012-09-21 22:48:05 +04:00
int size , elements = data - > elements ;
char * buf ;
/*
* Max size :
* - 10 digits + ' ' / ' \n ' = 11 bytes per number
* - terminating NUL character
*/
size = elements * 11 ;
buf = kmalloc ( size + 1 , GFP_KERNEL ) ;
if ( ! buf )
2012-09-21 13:16:29 +04:00
return - ENOMEM ;
2012-09-21 22:48:05 +04:00
buf [ size ] = 0 ;
file - > private_data = buf ;
u32_format_array ( buf , size , data - > array , data - > elements ) ;
2012-09-21 13:16:29 +04:00
return nonseekable_open ( inode , file ) ;
}
2012-03-23 12:06:28 +04:00
2012-09-21 13:16:29 +04:00
static ssize_t u32_array_read ( struct file * file , char __user * buf , size_t len ,
loff_t * ppos )
{
size_t size = strlen ( file - > private_data ) ;
2012-03-23 12:06:28 +04:00
return simple_read_from_buffer ( buf , len , ppos ,
file - > private_data , size ) ;
}
static int u32_array_release ( struct inode * inode , struct file * file )
{
kfree ( file - > private_data ) ;
return 0 ;
}
static const struct file_operations u32_array_fops = {
. owner = THIS_MODULE ,
. open = u32_array_open ,
. release = u32_array_release ,
. read = u32_array_read ,
. llseek = no_llseek ,
} ;
/**
* debugfs_create_u32_array - create a debugfs file that is used to read u32
* array .
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have .
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ array : u32 array that provides data .
* @ elements : total number of elements in the array .
*
* This function creates a file in debugfs with the given name that exports
* @ array as data . If the @ mode variable is so set it can be read from .
* Writing is not supported . Seek within the file is also not supported .
* Once array is created its size can not be changed .
*
* The function returns a pointer to dentry on success . If debugfs is not
* enabled in the kernel , the value - % ENODEV will be returned .
*/
struct dentry * debugfs_create_u32_array ( const char * name , umode_t mode ,
struct dentry * parent ,
u32 * array , u32 elements )
{
struct array_data * data = kmalloc ( sizeof ( * data ) , GFP_KERNEL ) ;
if ( data = = NULL )
return NULL ;
data - > array = array ;
data - > elements = elements ;
2016-03-22 16:11:20 +03:00
return debugfs_create_file_unsafe ( name , mode , parent , data ,
& u32_array_fops ) ;
2012-03-23 12:06:28 +04:00
}
EXPORT_SYMBOL_GPL ( debugfs_create_u32_array ) ;
2011-12-27 18:08:28 +04:00
# ifdef CONFIG_HAS_IOMEM
2011-11-18 17:50:21 +04:00
/*
* The regset32 stuff is used to print 32 - bit registers using the
* seq_file utilities . We offer printing a register set in an already - opened
* sequential file or create a debugfs file that only prints a regset32 .
*/
/**
* debugfs_print_regs32 - use seq_print to describe a set of registers
* @ s : the seq_file structure being used to generate output
* @ regs : an array if struct debugfs_reg32 structures
2012-01-21 23:02:42 +04:00
* @ nregs : the length of the above array
2011-11-18 17:50:21 +04:00
* @ base : the base address to be used in reading the registers
* @ prefix : a string to be prefixed to every output line
*
* This function outputs a text block describing the current values of
* some 32 - bit hardware registers . It is meant to be used within debugfs
* files based on seq_file that need to show registers , intermixed with other
* information . The prefix argument may be used to specify a leading string ,
* because some peripherals have several blocks of identical registers ,
* for example configuration of dma channels
*/
2014-09-30 03:08:26 +04:00
void debugfs_print_regs32 ( struct seq_file * s , const struct debugfs_reg32 * regs ,
int nregs , void __iomem * base , char * prefix )
2011-11-18 17:50:21 +04:00
{
2014-09-30 03:08:26 +04:00
int i ;
2011-11-18 17:50:21 +04:00
for ( i = 0 ; i < nregs ; i + + , regs + + ) {
if ( prefix )
2014-09-30 03:08:26 +04:00
seq_printf ( s , " %s " , prefix ) ;
seq_printf ( s , " %s = 0x%08x \n " , regs - > name ,
readl ( base + regs - > offset ) ) ;
if ( seq_has_overflowed ( s ) )
break ;
2011-11-18 17:50:21 +04:00
}
}
EXPORT_SYMBOL_GPL ( debugfs_print_regs32 ) ;
static int debugfs_show_regset32 ( struct seq_file * s , void * data )
{
struct debugfs_regset32 * regset = s - > private ;
debugfs_print_regs32 ( s , regset - > regs , regset - > nregs , regset - > base , " " ) ;
return 0 ;
}
static int debugfs_open_regset32 ( struct inode * inode , struct file * file )
{
return single_open ( file , debugfs_show_regset32 , inode - > i_private ) ;
}
static const struct file_operations fops_regset32 = {
. open = debugfs_open_regset32 ,
. read = seq_read ,
. llseek = seq_lseek ,
. release = single_release ,
} ;
/**
* debugfs_create_regset32 - create a debugfs file that returns register values
* @ name : a pointer to a string containing the name of the file to create .
* @ mode : the permission that the file should have
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ regset : a pointer to a struct debugfs_regset32 , which contains a pointer
* to an array of register definitions , the array size and the base
* address where the register bank is to be found .
*
* This function creates a file in debugfs with the given name that reports
* the names and values of a set of 32 - bit registers . If the @ mode variable
* is so set it can be read from . Writing is not supported .
*
* This function will return a pointer to a dentry if it succeeds . This
* pointer must be passed to the debugfs_remove ( ) function when the file is
* to be removed ( no automatic cleanup happens if your module is unloaded ,
* you are responsible here . ) If an error occurs , % NULL will be returned .
*
* If debugfs is not enabled in the kernel , the value - % ENODEV will be
* returned . It is not wise to check for this value , but rather , check for
* % NULL or ! % NULL instead as to eliminate the need for # ifdef in the calling
* code .
*/
2012-03-20 14:00:24 +04:00
struct dentry * debugfs_create_regset32 ( const char * name , umode_t mode ,
2011-11-18 17:50:21 +04:00
struct dentry * parent ,
struct debugfs_regset32 * regset )
{
return debugfs_create_file ( name , mode , parent , regset , & fops_regset32 ) ;
}
EXPORT_SYMBOL_GPL ( debugfs_create_regset32 ) ;
2011-12-27 18:08:28 +04:00
# endif /* CONFIG_HAS_IOMEM */
2014-11-09 13:31:58 +03:00
struct debugfs_devm_entry {
int ( * read ) ( struct seq_file * seq , void * data ) ;
struct device * dev ;
} ;
static int debugfs_devm_entry_open ( struct inode * inode , struct file * f )
{
struct debugfs_devm_entry * entry = inode - > i_private ;
return single_open ( f , entry - > read , entry - > dev ) ;
}
static const struct file_operations debugfs_devm_entry_ops = {
. owner = THIS_MODULE ,
. open = debugfs_devm_entry_open ,
. release = single_release ,
. read = seq_read ,
. llseek = seq_lseek
} ;
/**
* debugfs_create_devm_seqfile - create a debugfs file that is bound to device .
*
* @ dev : device related to this debugfs file .
* @ name : name of the debugfs file .
* @ parent : a pointer to the parent dentry for this file . This should be a
* directory dentry if set . If this parameter is % NULL , then the
* file will be created in the root of the debugfs filesystem .
* @ read_fn : function pointer called to print the seq_file content .
*/
struct dentry * debugfs_create_devm_seqfile ( struct device * dev , const char * name ,
struct dentry * parent ,
int ( * read_fn ) ( struct seq_file * s ,
void * data ) )
{
struct debugfs_devm_entry * entry ;
if ( IS_ERR ( parent ) )
return ERR_PTR ( - ENOENT ) ;
entry = devm_kzalloc ( dev , sizeof ( * entry ) , GFP_KERNEL ) ;
if ( ! entry )
return ERR_PTR ( - ENOMEM ) ;
entry - > read = read_fn ;
entry - > dev = dev ;
return debugfs_create_file ( name , S_IRUGO , parent , entry ,
& debugfs_devm_entry_ops ) ;
}
EXPORT_SYMBOL_GPL ( debugfs_create_devm_seqfile ) ;