fs/debugfs/inode.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
Mount options (uid, gid, mode) are silently ignored when debugfs is
mounted. This is a regression introduced during the conversion to the
new mount API.
When the mount API conversion was done, the line that sets
sb->s_fs_info to the parsed options was removed. This causes
debugfs_apply_options() to operate on a NULL pointer.
Fix this by following the same pattern as the tracefs fix in commit
e4d32142d1de ("tracing: Fix tracefs mount options"). Call
debugfs_reconfigure() in debugfs_get_tree() to apply the mount options
to the superblock after it has been created or reused.
As an example, with the bug the "mode" mount option is ignored:
$ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test
$ mount | grep debugfs_test
debugfs on /tmp/debugfs_test type debugfs (rw,relatime)
$ ls -ld /tmp/debugfs_test
drwx------ 25 root root 0 Aug 4 14:16 /tmp/debugfs_test
With the fix applied, it works as expected:
$ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test
$ mount | grep debugfs_test
debugfs on /tmp/debugfs_test type debugfs (rw,relatime,mode=666)
$ ls -ld /tmp/debugfs_test
drw-rw-rw- 37 root root 0 Aug 2 17:28 /tmp/debugfs_test
Fixes: a20971c18752 ("vfs: Convert debugfs to use the new mount API")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220406
Cc: stable@vger.kernel.org
Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
---
Changes in v2:
- Follow the same pattern as e4d32142d1de ("tracing: Fix tracefs mount options")
- Add Cc: stable tag
- Link to v1: https://lore.kernel.org/r/20250804-debugfs-mount-opts-v1-1-bc05947a80b5@posteo.net
---
fs/debugfs/inode.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index a0357b0cf362d8ac47ff810e162402d6a8ae2cb9..c12d649df6a5435050f606c2828a9a7cc61922e4 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -183,6 +183,9 @@ static int debugfs_reconfigure(struct fs_context *fc)
struct debugfs_fs_info *sb_opts = sb->s_fs_info;
struct debugfs_fs_info *new_opts = fc->s_fs_info;
+ if (!new_opts)
+ return 0;
+
sync_filesystem(sb);
/* structure copy of new mount options to sb */
@@ -282,10 +285,16 @@ static int debugfs_fill_super(struct super_block *sb, struct fs_context *fc)
static int debugfs_get_tree(struct fs_context *fc)
{
+ int err;
+
if (!(debugfs_allow & DEBUGFS_ALLOW_API))
return -EPERM;
- return get_tree_single(fc, debugfs_fill_super);
+ err = get_tree_single(fc, debugfs_fill_super);
+ if (err)
+ return err;
+
+ return debugfs_reconfigure(fc);
}
static void debugfs_free_fc(struct fs_context *fc)
---
base-commit: 3c4a063b1f8ab71352df1421d9668521acb63cd9
change-id: 20250804-debugfs-mount-opts-2a68d7741f05
Best regards,
--
Charalampos Mitrodimas <charmitro@posteo.net>On 8/13/25 6:55 PM, Charalampos Mitrodimas wrote:
> Mount options (uid, gid, mode) are silently ignored when debugfs is
> mounted. This is a regression introduced during the conversion to the
> new mount API.
>
> When the mount API conversion was done, the line that sets
> sb->s_fs_info to the parsed options was removed. This causes
> debugfs_apply_options() to operate on a NULL pointer.
The change looks fine to me but I'm a little confused by this paragraph.
Is there something in the current code that will lead to an OOPs of
the kernel on a NULL ptr?
I just don't want to generate CVEs if we don't have to ;)
As for the code change itself,
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Thanks!
> Fix this by following the same pattern as the tracefs fix in commit
> e4d32142d1de ("tracing: Fix tracefs mount options"). Call
> debugfs_reconfigure() in debugfs_get_tree() to apply the mount options
> to the superblock after it has been created or reused.
>
> As an example, with the bug the "mode" mount option is ignored:
>
> $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test
> $ mount | grep debugfs_test
> debugfs on /tmp/debugfs_test type debugfs (rw,relatime)
> $ ls -ld /tmp/debugfs_test
> drwx------ 25 root root 0 Aug 4 14:16 /tmp/debugfs_test
>
> With the fix applied, it works as expected:
>
> $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test
> $ mount | grep debugfs_test
> debugfs on /tmp/debugfs_test type debugfs (rw,relatime,mode=666)
> $ ls -ld /tmp/debugfs_test
> drw-rw-rw- 37 root root 0 Aug 2 17:28 /tmp/debugfs_test
>
> Fixes: a20971c18752 ("vfs: Convert debugfs to use the new mount API")
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220406
> Cc: stable@vger.kernel.org
> Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
> ---
> Changes in v2:
> - Follow the same pattern as e4d32142d1de ("tracing: Fix tracefs mount options")
> - Add Cc: stable tag
> - Link to v1: https://lore.kernel.org/r/20250804-debugfs-mount-opts-v1-1-bc05947a80b5@posteo.net
> ---
> fs/debugfs/inode.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
> index a0357b0cf362d8ac47ff810e162402d6a8ae2cb9..c12d649df6a5435050f606c2828a9a7cc61922e4 100644
> --- a/fs/debugfs/inode.c
> +++ b/fs/debugfs/inode.c
> @@ -183,6 +183,9 @@ static int debugfs_reconfigure(struct fs_context *fc)
> struct debugfs_fs_info *sb_opts = sb->s_fs_info;
> struct debugfs_fs_info *new_opts = fc->s_fs_info;
>
> + if (!new_opts)
> + return 0;
> +
> sync_filesystem(sb);
>
> /* structure copy of new mount options to sb */
> @@ -282,10 +285,16 @@ static int debugfs_fill_super(struct super_block *sb, struct fs_context *fc)
>
> static int debugfs_get_tree(struct fs_context *fc)
> {
> + int err;
> +
> if (!(debugfs_allow & DEBUGFS_ALLOW_API))
> return -EPERM;
>
> - return get_tree_single(fc, debugfs_fill_super);
> + err = get_tree_single(fc, debugfs_fill_super);
> + if (err)
> + return err;
> +
> + return debugfs_reconfigure(fc);
> }
>
> static void debugfs_free_fc(struct fs_context *fc)
>
> ---
> base-commit: 3c4a063b1f8ab71352df1421d9668521acb63cd9
> change-id: 20250804-debugfs-mount-opts-2a68d7741f05
>
> Best regards,
Eric Sandeen <sandeen@redhat.com> writes:
> On 8/13/25 6:55 PM, Charalampos Mitrodimas wrote:
>> Mount options (uid, gid, mode) are silently ignored when debugfs is
>> mounted. This is a regression introduced during the conversion to the
>> new mount API.
>>
>> When the mount API conversion was done, the line that sets
>> sb->s_fs_info to the parsed options was removed. This causes
>> debugfs_apply_options() to operate on a NULL pointer.
>
> The change looks fine to me but I'm a little confused by this paragraph.
> Is there something in the current code that will lead to an OOPs of
> the kernel on a NULL ptr?
Ah, sorry for the confusion, I worded that poorly. There's no OOPs in
the code.
Sending a v3 for it.
>
> I just don't want to generate CVEs if we don't have to ;)
>
> As for the code change itself,
>
> Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Thanks!
>
> Thanks!
>
>> Fix this by following the same pattern as the tracefs fix in commit
>> e4d32142d1de ("tracing: Fix tracefs mount options"). Call
>> debugfs_reconfigure() in debugfs_get_tree() to apply the mount options
>> to the superblock after it has been created or reused.
>>
>> As an example, with the bug the "mode" mount option is ignored:
>>
>> $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test
>> $ mount | grep debugfs_test
>> debugfs on /tmp/debugfs_test type debugfs (rw,relatime)
>> $ ls -ld /tmp/debugfs_test
>> drwx------ 25 root root 0 Aug 4 14:16 /tmp/debugfs_test
>>
>> With the fix applied, it works as expected:
>>
>> $ mount -o mode=0666 -t debugfs debugfs /tmp/debugfs_test
>> $ mount | grep debugfs_test
>> debugfs on /tmp/debugfs_test type debugfs (rw,relatime,mode=666)
>> $ ls -ld /tmp/debugfs_test
>> drw-rw-rw- 37 root root 0 Aug 2 17:28 /tmp/debugfs_test
>>
>> Fixes: a20971c18752 ("vfs: Convert debugfs to use the new mount API")
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220406
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
>> ---
>> Changes in v2:
>> - Follow the same pattern as e4d32142d1de ("tracing: Fix tracefs mount options")
>> - Add Cc: stable tag
>> - Link to v1: https://lore.kernel.org/r/20250804-debugfs-mount-opts-v1-1-bc05947a80b5@posteo.net
>> ---
>> fs/debugfs/inode.c | 11 ++++++++++-
>> 1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
>> index a0357b0cf362d8ac47ff810e162402d6a8ae2cb9..c12d649df6a5435050f606c2828a9a7cc61922e4 100644
>> --- a/fs/debugfs/inode.c
>> +++ b/fs/debugfs/inode.c
>> @@ -183,6 +183,9 @@ static int debugfs_reconfigure(struct fs_context *fc)
>> struct debugfs_fs_info *sb_opts = sb->s_fs_info;
>> struct debugfs_fs_info *new_opts = fc->s_fs_info;
>>
>> + if (!new_opts)
>> + return 0;
>> +
>> sync_filesystem(sb);
>>
>> /* structure copy of new mount options to sb */
>> @@ -282,10 +285,16 @@ static int debugfs_fill_super(struct super_block *sb, struct fs_context *fc)
>>
>> static int debugfs_get_tree(struct fs_context *fc)
>> {
>> + int err;
>> +
>> if (!(debugfs_allow & DEBUGFS_ALLOW_API))
>> return -EPERM;
>>
>> - return get_tree_single(fc, debugfs_fill_super);
>> + err = get_tree_single(fc, debugfs_fill_super);
>> + if (err)
>> + return err;
>> +
>> + return debugfs_reconfigure(fc);
>> }
>>
>> static void debugfs_free_fc(struct fs_context *fc)
>>
>> ---
>> base-commit: 3c4a063b1f8ab71352df1421d9668521acb63cd9
>> change-id: 20250804-debugfs-mount-opts-2a68d7741f05
>>
>> Best regards,
© 2016 - 2025 Red Hat, Inc.