On Thu, Nov 06, 2025 at 11:47:15AM -0400, Jason Gunthorpe wrote:
On Thu, Nov 06, 2025 at 11:27:10PM +0800, Tzung-Bi Shih wrote:
+/*
- Recover the private_data to its original one.
- */
+static struct fops_replacement *_recover_private_data(struct file *filp) +{
- struct fops_replacement *fr = filp->private_data;
- filp->private_data = fr->orig_private_data;
- return fr;
+}
+/*
- Replace the private_data to fops_replacement.
- */
+static void _replace_private_data(struct fops_replacement *fr) +{
- fr->filp->private_data = fr;
+}
This switching of private_data isn't reasonable, it breaks too much stuff. I think I showed a better idea in my sketch.
The approach assumes the filp->private_data should be set once by the filp->f_op->open() if any. Is it common that the filp->private_data be updated in other file operations?
I still think this is a bad use case of revocable, we don't need to obfuscate very simple locks in *core* kernel code like this. I'd rather see you propose this series without using it.
+static int fs_revocable_release(struct inode *inode, struct file *filp) +{
- struct fops_replacement *fr = _recover_private_data(filp);
- int ret = 0;
- void *any;
- filp->f_op = fr->orig_fops;
- if (!fr->orig_fops->release)
goto leave;- REVOCABLE_TRY_ACCESS_SCOPED(fr->rev, any) {
if (!any) {ret = -ENODEV;goto leave;}ret = fr->orig_fops->release(inode, filp);- }
This probably doesn't work out, is likely to make a memory leak. It will be hard for the owning driver to free its per-file memory without access to release.
Ah, I think this reveals a drawback of the approach. - Without calling ->release(), some memory may leak. - With calling ->release(), some UAF may happen.