Re: [PATCH -nect RFC v2 0/2] block: fix uaf in bd_link_disk_holder()

From: Yu Kuai
Date: Sun Oct 30 2022 - 21:08:50 EST

Next message: Guo Ren: "Re: [PATCH v5 4/7] riscv: dts: renesas: Add initial devicetree for Renesas RZ/Five SoC"
Previous message: Aiqun(Maria) Yu: "Re: [PATCH v4] remoteproc: core: do pm relax when in RPROC_OFFLINE"
In reply to: Christoph Hellwig: "Re: [PATCH -nect RFC v2 0/2] block: fix uaf in bd_link_disk_holder()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, Christoph

在 2022/10/30 23:30, Christoph Hellwig 写道:

On Fri, Oct 21, 2022 at 11:15:34AM +0800, Yu Kuai wrote:

Hi,

在 2022/10/21 0:47, Christoph Hellwig 写道:

As mentioned before I don't think we should make this even more
crufty in the block layer. See the series I just sent to move it int
dm.

It seems we had some misunderstanding, the problem I tried to fix here
should not just related to dm, but all the caller of
bd_link_disk_holder().

As far as I can tell the problem was just that patch 1 in my series blows
away the bd_holder_dir pointer in part0 on del_gendisk. Each holder
actually holds a reference to the kobject, so the memory for it is
still valid, it's just that the pointer got cleared. I'll send a v2
in a bit.

This is not the real case. In bd_link_disk_hoder(), bd_hodler_dir is
accessed first by add_symlink(), and then reference is grabed later.
The reference should be grabed before bd_holder_dir is accessed, like
what I try to do in patch 2.

Thanks,
Kuai

.

Next message: Guo Ren: "Re: [PATCH v5 4/7] riscv: dts: renesas: Add initial devicetree for Renesas RZ/Five SoC"
Previous message: Aiqun(Maria) Yu: "Re: [PATCH v4] remoteproc: core: do pm relax when in RPROC_OFFLINE"
In reply to: Christoph Hellwig: "Re: [PATCH -nect RFC v2 0/2] block: fix uaf in bd_link_disk_holder()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]