On Thu, Oct 10, 2024 at 07:25:42PM +0800, Ye Bin wrote: > + if (sscanf(buffer, "%u:%u:%u", &major, &minor, &ctl) != 3) > + return -EINVAL; > + > + if (ctl < *((int *)table->extra1) || ctl > *((int *)table->extra2)) > + return -EINVAL; > + > + sb = user_get_super(MKDEV(major, minor), false); > + if (!sb) > + return -EINVAL; Odd user interface aside, you do realize that you've just grabbed ->s_umount from inside a ->write() instance? Considering how much can be grabbed under ->s_umount... Ow. IOW, I very much doubt that doing that kind of stuff from sysctl is a good idea - if nothing else, we'll end up with syzbot screaming its head off about many and varied potential deadlocks, as soon as it discovers that one. And I wouldn't swear that all of those would be false positives.
