diff mbox series

[v2,06/10] blk-debugfs: upgrade warns to BUG_ON() if directory is already found

Message ID 20200419194529.4872-7-mcgrof@kernel.org
State New, archived
Headers show
Series block: fix blktrace debugfs use after free | expand

Commit Message

Luis Chamberlain April 19, 2020, 7:45 p.m. UTC
Now that we have moved release_queue from being asynchronous to
synchronous, and fixed how we use the debugfs directory with blktrace
we should no longer have expected races with device removal/addition
and other operations with the debugfs directory.

If races do happen however, we want to be informed of *how* this races
happens rather than dealing with a debugfs splat, so upgrading this to a
BUG_ON() should capture better information about how this can happen
in the future.

This is specially true these days with funky reproducers in userspace
for which we have no access to, but only a bug splat.

Note that on addition the gendisk kobject is used as the parent for the
request_queue kobject, and upon removal, now that request_queue removal
is synchronous, blk_unregister_queue() is called prior to the gendisk
device_del(). This means we expect to see a sysfs clash first now prior
to running into a race with the debugfs dentry; so this bug would be
considered highly unlikely.

Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 block/blk-debugfs.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

Comments

Greg Kroah-Hartman April 20, 2020, 11:36 a.m. UTC | #1
On Sun, Apr 19, 2020 at 07:45:25PM +0000, Luis Chamberlain wrote:
> Now that we have moved release_queue from being asynchronous to
> synchronous, and fixed how we use the debugfs directory with blktrace
> we should no longer have expected races with device removal/addition
> and other operations with the debugfs directory.
> 
> If races do happen however, we want to be informed of *how* this races
> happens rather than dealing with a debugfs splat, so upgrading this to a
> BUG_ON() should capture better information about how this can happen
> in the future.
> 
> This is specially true these days with funky reproducers in userspace
> for which we have no access to, but only a bug splat.
> 
> Note that on addition the gendisk kobject is used as the parent for the
> request_queue kobject, and upon removal, now that request_queue removal
> is synchronous, blk_unregister_queue() is called prior to the gendisk
> device_del(). This means we expect to see a sysfs clash first now prior
> to running into a race with the debugfs dentry; so this bug would be
> considered highly unlikely.
> 
> Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
> ---
>  block/blk-debugfs.c | 10 +---------
>  1 file changed, 1 insertion(+), 9 deletions(-)
> 
> diff --git a/block/blk-debugfs.c b/block/blk-debugfs.c
> index d84038bce0a5..761318dcbf40 100644
> --- a/block/blk-debugfs.c
> +++ b/block/blk-debugfs.c
> @@ -19,16 +19,8 @@ void blk_debugfs_register(void)
>  
>  int __must_check blk_queue_debugfs_register(struct request_queue *q)
>  {
> -	struct dentry *dir = NULL;
> -
>  	/* This can happen if we have a bug in the lower layers */
> -	dir = debugfs_lookup(kobject_name(q->kobj.parent), blk_debugfs_root);
> -	if (dir) {
> -		pr_warn("%s: registering request_queue debugfs directory twice is not allowed\n",
> -			kobject_name(q->kobj.parent));
> -		dput(dir);
> -		return -EALREADY;
> -	}
> +	BUG_ON(debugfs_lookup(kobject_name(q->kobj.parent), blk_debugfs_root));

So you are willing to crash the whole kernel and throw all of
userspace's data away if this happens?

Ick, no, don't do that, handle the issue correctly and move on.

As proof you shouldn't be doing this, that BUG_ON will trigger if
debugfs is not enabled, which might be a bit mean for all users of those
kernels :(

Hard NAK from me, sorry.

greg k-h
diff mbox series

Patch

diff --git a/block/blk-debugfs.c b/block/blk-debugfs.c
index d84038bce0a5..761318dcbf40 100644
--- a/block/blk-debugfs.c
+++ b/block/blk-debugfs.c
@@ -19,16 +19,8 @@  void blk_debugfs_register(void)
 
 int __must_check blk_queue_debugfs_register(struct request_queue *q)
 {
-	struct dentry *dir = NULL;
-
 	/* This can happen if we have a bug in the lower layers */
-	dir = debugfs_lookup(kobject_name(q->kobj.parent), blk_debugfs_root);
-	if (dir) {
-		pr_warn("%s: registering request_queue debugfs directory twice is not allowed\n",
-			kobject_name(q->kobj.parent));
-		dput(dir);
-		return -EALREADY;
-	}
+	BUG_ON(debugfs_lookup(kobject_name(q->kobj.parent), blk_debugfs_root));
 
 	q->debugfs_dir = debugfs_create_dir(kobject_name(q->kobj.parent),
 					    blk_debugfs_root);