Hi,
在 2022/11/01 21:18, Christoph Hellwig 写道:
On Tue, Nov 01, 2022 at 07:28:17PM +0800, Yu Kuai wrote:
What if bd_holder_dir is already freed here, then uaf can be triggered.
Thus bd_holder_dir need to be resed in del_gendisk() if it's reference
is dropped to 0, however, kobject apis can't do that...
Indeed. I don't think we can simply move the dropping of the reference
as you suggested as that also implies taking it earlier, and the
device in the disk is only initialized in add_disk.
Now what I think we could do is:
- hold open_mutex in bd_link_disk_holder as you suggested
- check that the bdev inode is hashed inside open_mutex before doing
the kobject_get
Yes, that's sounds good, check if inode is hashed is better than
what I did in another thread to introduce a new field.
Thansk,
Kuai
.