On Fri, Oct 09, 2020 at 10:56:16AM +, David Laight wrote:
> From: Johannes Berg
> > Sent: 09 October 2020 11:48
> >
> > On Fri, 2020-10-09 at 12:41 +0200, Johannes Berg wrote:
> >
> > > If the fops doesn't have a release method, we don't even need
> > > to keep a reference to the real_fops, w
On Fri, 2020-10-09 at 10:56 +, David Laight wrote:
> From: Johannes Berg
> > Sent: 09 October 2020 11:48
> >
> > On Fri, 2020-10-09 at 12:41 +0200, Johannes Berg wrote:
> >
> > > If the fops doesn't have a release method, we don't even need
> > > to keep a reference to the real_fops, we can j
From: Johannes Berg
> Sent: 09 October 2020 11:48
>
> On Fri, 2020-10-09 at 12:41 +0200, Johannes Berg wrote:
>
> > If the fops doesn't have a release method, we don't even need
> > to keep a reference to the real_fops, we can just fops_put()
> > them already in debugfs remove, and a later full_p
On Fri, 2020-10-09 at 12:41 +0200, Johannes Berg wrote:
> If the fops doesn't have a release method, we don't even need
> to keep a reference to the real_fops, we can just fops_put()
> them already in debugfs remove, and a later full_proxy_release()
> won't call anything anyway - this just crashed
From: Johannes Berg
Currently, things will crash (or at least UAF) in release() when
a module owning a debugfs file, but that didn't set the fops.owner,
is removed while the offending debugfs file is open.
Since we have the proxy_fops, we can break that down into two
different cases:
If the fop
