On Mon, Oct 31, 2022 at 09:52:04AM +0800, Yu Kuai wrote: >> INIT_LIST_HEAD(&holder->list); >> - holder->bdev = bdev; >> holder->refcnt = 1; >> + holder->holder_dir = kobject_get(bdev->bd_holder_dir); > > I wonder is this safe here, if kobject reference is 0 here and > bd_holder_dir is about to be freed. Here in kobject_get, kref_get() will > warn about uaf, and kobject_get will return a address that is about to > be freed. But how could the reference be 0 here? The driver that calls bd_link_disk_holder must have the block device open and thus hold a reference to it. -- dm-devel mailing list dm-devel@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/dm-devel
