From 3ae94a55d047d133fad1e6c811befe4347b75791 Mon Sep 17 00:00:00 2001
From: Aaron Thompson <dev@aaront.org>
Date: Thu, 20 Nov 2025 10:26:32 +0000
Subject: debugfs: Remove redundant access mode checks

debugfs_get_tree() can only be called if debugfs itself calls
simple_pin_fs() or register_filesystem(), and those call paths also
check the access mode.

debugfs_start_creating() checks the access mode so the checks in the
debugfs_create_* functions are unnecessary.

An upcoming change will affect debugfs_allow, so doing this cleanup
first will make that change simpler.

Signed-off-by: Aaron Thompson <dev@aaront.org>
Link: https://patch.msgid.link/20251120102222.18371-2-dev@null.aaront.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/debugfs/inode.c | 18 ------------------
 1 file changed, 18 deletions(-)

(limited to 'fs/debugfs/inode.c')

diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 661a99a7dfbe..b6e401c46b6b 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -287,9 +287,6 @@ static int debugfs_get_tree(struct fs_context *fc)
 {
 	int err;
 
-	if (!(debugfs_allow & DEBUGFS_ALLOW_API))
-		return -EPERM;
-
 	err = get_tree_single(fc, debugfs_fill_super);
 	if (err)
 		return err;
@@ -434,11 +431,6 @@ static struct dentry *__debugfs_create_file(const char *name, umode_t mode,
 	if (IS_ERR(dentry))
 		return dentry;
 
-	if (!(debugfs_allow & DEBUGFS_ALLOW_API)) {
-		failed_creating(dentry);
-		return ERR_PTR(-EPERM);
-	}
-
 	inode = debugfs_get_inode(dentry->d_sb);
 	if (unlikely(!inode)) {
 		pr_err("out of free dentries, can not create file '%s'\n",
@@ -584,11 +576,6 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
 	if (IS_ERR(dentry))
 		return dentry;
 
-	if (!(debugfs_allow & DEBUGFS_ALLOW_API)) {
-		failed_creating(dentry);
-		return ERR_PTR(-EPERM);
-	}
-
 	inode = debugfs_get_inode(dentry->d_sb);
 	if (unlikely(!inode)) {
 		pr_err("out of free dentries, can not create directory '%s'\n",
@@ -631,11 +618,6 @@ struct dentry *debugfs_create_automount(const char *name,
 	if (IS_ERR(dentry))
 		return dentry;
 
-	if (!(debugfs_allow & DEBUGFS_ALLOW_API)) {
-		failed_creating(dentry);
-		return ERR_PTR(-EPERM);
-	}
-
 	inode = debugfs_get_inode(dentry->d_sb);
 	if (unlikely(!inode)) {
 		pr_err("out of free dentries, can not create automount '%s'\n",
-- 
cgit v1.2.3


From f278809475f6835b56de78b28dc2cc0c7e2c20a4 Mon Sep 17 00:00:00 2001
From: Aaron Thompson <dev@aaront.org>
Date: Thu, 20 Nov 2025 10:26:33 +0000
Subject: debugfs: Remove broken no-mount mode

debugfs access modes were added in Linux 5.10 (Dec 2020) [1], but the
no-mount mode has behaved effectively the same as the off mode since
Linux 5.12 (Apr 2021) [2]. The only difference is the specific error
code returned by the debugfs_create_* functions, which is -ENOENT in
no-mount mode and -EPERM in off mode.

Given that no-mount hasn't worked for several years with no complaints,
just remove it.

[1] a24c6f7bc923 ("debugfs: Add access restriction option")

[2] bc6de804d36b ("debugfs: be more robust at handling improper input in debugfs_lookup()")
    56348560d495 ("debugfs: do not attempt to create a new file before the filesystem is initalized")

Signed-off-by: Aaron Thompson <dev@aaront.org>
Link: https://patch.msgid.link/20251120102222.18371-3-dev@null.aaront.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/admin-guide/kernel-parameters.txt |  6 +-----
 fs/debugfs/inode.c                              | 18 +++++++++++-------
 fs/debugfs/internal.h                           | 13 -------------
 lib/Kconfig.debug                               |  9 +--------
 4 files changed, 13 insertions(+), 33 deletions(-)

(limited to 'fs/debugfs/inode.c')

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 6c42061ca20e..847a17efe289 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1113,12 +1113,8 @@
 
 	debugfs=    	[KNL,EARLY] This parameter enables what is exposed to
 			userspace and debugfs internal clients.
-			Format: { on, no-mount, off }
+			Format: { on, off }
 			on: 	All functions are enabled.
-			no-mount:
-				Filesystem is not registered but kernel clients can
-			        access APIs and a crashkernel can be used to read
-				its content. There is nothing to mount.
 			off: 	Filesystem is not registered and clients
 			        get a -EPERM as result when trying to register files
 				or directories within debugfs.
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index b6e401c46b6b..0284b0256195 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -35,7 +35,7 @@
 static struct vfsmount *debugfs_mount;
 static int debugfs_mount_count;
 static bool debugfs_registered;
-static unsigned int debugfs_allow __ro_after_init = DEFAULT_DEBUGFS_ALLOW_BITS;
+static bool debugfs_enabled __ro_after_init = IS_ENABLED(DEBUG_FS_ALLOW_ALL);
 
 /*
  * Don't allow access attributes to be changed whilst the kernel is locked down
@@ -365,7 +365,7 @@ static struct dentry *debugfs_start_creating(const char *name,
 	struct dentry *dentry;
 	int error;
 
-	if (!(debugfs_allow & DEBUGFS_ALLOW_API))
+	if (!debugfs_enabled)
 		return ERR_PTR(-EPERM);
 
 	if (!debugfs_initialized())
@@ -885,21 +885,25 @@ static int __init debugfs_kernel(char *str)
 {
 	if (str) {
 		if (!strcmp(str, "on"))
-			debugfs_allow = DEBUGFS_ALLOW_API | DEBUGFS_ALLOW_MOUNT;
-		else if (!strcmp(str, "no-mount"))
-			debugfs_allow = DEBUGFS_ALLOW_API;
+			debugfs_enabled = true;
 		else if (!strcmp(str, "off"))
-			debugfs_allow = 0;
+			debugfs_enabled = false;
+		else if (!strcmp(str, "no-mount")) {
+			pr_notice("debugfs=no-mount is a deprecated alias "
+				  "for debugfs=off\n");
+			debugfs_enabled = false;
+		}
 	}
 
 	return 0;
 }
 early_param("debugfs", debugfs_kernel);
+
 static int __init debugfs_init(void)
 {
 	int retval;
 
-	if (!(debugfs_allow & DEBUGFS_ALLOW_MOUNT))
+	if (!debugfs_enabled)
 		return -EPERM;
 
 	retval = sysfs_create_mount_point(kernel_kobj, "debug");
diff --git a/fs/debugfs/internal.h b/fs/debugfs/internal.h
index 427987f81571..c95699b27a56 100644
--- a/fs/debugfs/internal.h
+++ b/fs/debugfs/internal.h
@@ -55,17 +55,4 @@ enum {
 	HAS_IOCTL = 16
 };
 
-#define DEBUGFS_ALLOW_API	BIT(0)
-#define DEBUGFS_ALLOW_MOUNT	BIT(1)
-
-#ifdef CONFIG_DEBUG_FS_ALLOW_ALL
-#define DEFAULT_DEBUGFS_ALLOW_BITS (DEBUGFS_ALLOW_MOUNT | DEBUGFS_ALLOW_API)
-#endif
-#ifdef CONFIG_DEBUG_FS_DISALLOW_MOUNT
-#define DEFAULT_DEBUGFS_ALLOW_BITS (DEBUGFS_ALLOW_API)
-#endif
-#ifdef CONFIG_DEBUG_FS_ALLOW_NONE
-#define DEFAULT_DEBUGFS_ALLOW_BITS (0)
-#endif
-
 #endif /* _DEBUGFS_INTERNAL_H_ */
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 3034e294d50d..d9ab42916143 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -679,7 +679,7 @@ choice
 	help
 	  This selects the default access restrictions for debugfs.
 	  It can be overridden with kernel command line option
-	  debugfs=[on,no-mount,off]. The restrictions apply for API access
+	  debugfs=[on,off]. The restrictions apply for API access
 	  and filesystem registration.
 
 config DEBUG_FS_ALLOW_ALL
@@ -688,13 +688,6 @@ config DEBUG_FS_ALLOW_ALL
 	  No restrictions apply. Both API and filesystem registration
 	  is on. This is the normal default operation.
 
-config DEBUG_FS_DISALLOW_MOUNT
-	bool "Do not register debugfs as filesystem"
-	help
-	  The API is open but filesystem is not loaded. Clients can still do
-	  their work and read with debug tools that do not need
-	  debugfs filesystem.
-
 config DEBUG_FS_ALLOW_NONE
 	bool "No access"
 	help
-- 
cgit v1.2.3


From d3666c1f8a31b7ff6805effcfedfac22454c6517 Mon Sep 17 00:00:00 2001
From: Aaron Thompson <dev@aaront.org>
Date: Tue, 2 Dec 2025 07:12:40 +0000
Subject: debugfs: Fix default access mode config check

This typo caused debugfs to always behave as if
CONFIG_DEBUG_FS_ALLOW_NONE was selected.

Fixes: f278809475f6 ("debugfs: Remove broken no-mount mode")
Reported-by: Mark Brown <broonie@kernel.org>
Tested-by: Chen-Yu Tsai <wenst@chromium.org>
Signed-off-by: Aaron Thompson <dev@aaront.org>
Link: https://patch.msgid.link/20251202070927.14198-1-dev@null.aaront.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/debugfs/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'fs/debugfs/inode.c')

diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 0284b0256195..3b3713fcbbcb 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -35,7 +35,7 @@
 static struct vfsmount *debugfs_mount;
 static int debugfs_mount_count;
 static bool debugfs_registered;
-static bool debugfs_enabled __ro_after_init = IS_ENABLED(DEBUG_FS_ALLOW_ALL);
+static bool debugfs_enabled __ro_after_init = IS_ENABLED(CONFIG_DEBUG_FS_ALLOW_ALL);
 
 /*
  * Don't allow access attributes to be changed whilst the kernel is locked down
-- 
cgit v1.2.3