On Thu, Sep 14, 2023 at 12:27:12AM +0100, Al Viro wrote: > On Wed, Sep 13, 2023 at 08:09:57AM -0300, Christoph Hellwig wrote: > > Releasing an anon dev_t is a very common thing when freeing a > > super_block, as that's done for basically any not block based file > > system (modulo the odd mtd special case). So instead of requiring > > a special ->kill_sb helper and a lot of boilerplate in more complicated > > file systems, just release the anon dev_t in deactivate_locked_super if > > the super_block was using one. > > > > As the freeing is done after the main call to kill_super_notify, this > > removes the need for having two slightly different call sites for it. > > Huh? At this stage in your series freeing is still in ->kill_sb() > instances, after the calls of kill_anon_super() you've turned into > the calls of generic_shutdown_super(). The above refers to freeing the anon dev_t, which at this stage is done right after the kill_super_notify in generic_shutdown_super. > You do split it off into a separate method later in the series, but > at this point you are reopening the same UAF that had been dealt with > in dc3216b14160 "super: ensure valid info". How? Old sequence before his patch: deactivate_locked_super() -> kill_anon_super() -> generic_shutdown_super() -> kill_super_notify() -> free_anon_bdev() -> kill_super_notify() New sequence with this patch: deactivate_locked_super() -> generic_shutdown_super() -> kill_super_notify() -> free_anon_bdev()
