Re: [PATCH 1/2] ubi: block: Fix use-after-free of gendisk

[Christoph Hellwig]

On Tue, May 23, 2023 at 03:12:16PM +0200, Vincent Whitchurch wrote:
>  static void ubiblock_cleanup(struct ubiblock *dev)
>  {
> +	int first_minor = dev->gd->first_minor;
> +
>  	/* Stop new requests to arrive */
>  	del_gendisk(dev->gd);
>  	/* Finally destroy the blk queue */
>  	dev_info(disk_to_dev(dev->gd), "released");
>  	put_disk(dev->gd);
>  	blk_mq_free_tag_set(&dev->tag_set);
> -	idr_remove(&ubiblock_minor_idr, dev->gd->first_minor);
> +	idr_remove(&ubiblock_minor_idr, first_minor);

I think the real fix here is to implement the free_disk method
and free the idr there.  That ensures the ID can't be reused until
the disk is entirely freed as well.