On Tue, Nov 01, 2022 at 07:28:17PM +0800, Yu Kuai wrote: > What if bd_holder_dir is already freed here, then uaf can be triggered. > Thus bd_holder_dir need to be resed in del_gendisk() if it's reference > is dropped to 0, however, kobject apis can't do that... Indeed. I don't think we can simply move the dropping of the reference as you suggested as that also implies taking it earlier, and the device in the disk is only initialized in add_disk. Now what I think we could do is: - hold open_mutex in bd_link_disk_holder as you suggested - check that the bdev inode is hashed inside open_mutex before doing the kobject_get
