tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

s390/hypfs: Avoid unnecessary ioctl registration in debugfs

Currently, hypfs registers ioctl callbacks for all debugfs files,
despite only one file requiring them. This leads to unintended exposure
of unused interfaces to user space and can trigger side effects such as
restricted access when kernel lockdown is enabled.

Restrict ioctl registration to only those files that implement ioctl
functionality to avoid interface clutter and unnecessary access
restrictions.

Tested-by: Mete Durlu <meted@linux.ibm.com>
Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>

authored by

Peter Oberparleiter and committed by
Alexander Gordeev fec7bdfe 93f616ff

+11 -7
+11 -7
arch/s390/hypfs/hypfs_dbfs.c
··· 66 66 long rc; 67 67 68 68 mutex_lock(&df->lock); 69 - if (df->unlocked_ioctl) 70 - rc = df->unlocked_ioctl(file, cmd, arg); 71 - else 72 - rc = -ENOTTY; 69 + rc = df->unlocked_ioctl(file, cmd, arg); 73 70 mutex_unlock(&df->lock); 74 71 return rc; 75 72 } 76 73 77 - static const struct file_operations dbfs_ops = { 74 + static const struct file_operations dbfs_ops_ioctl = { 78 75 .read = dbfs_read, 79 76 .unlocked_ioctl = dbfs_ioctl, 80 77 }; 81 78 79 + static const struct file_operations dbfs_ops = { 80 + .read = dbfs_read, 81 + }; 82 + 82 83 void hypfs_dbfs_create_file(struct hypfs_dbfs_file *df) 83 84 { 84 - df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, 85 - &dbfs_ops); 85 + const struct file_operations *fops = &dbfs_ops; 86 + 87 + if (df->unlocked_ioctl) 88 + fops = &dbfs_ops_ioctl; 89 + df->dentry = debugfs_create_file(df->name, 0400, dbfs_dir, df, fops); 86 90 mutex_init(&df->lock); 87 91 } 88 92