Re: erofs: is z_erofs_put_pcluster()'s sbi access in the same UAF window as 1aee05e814d2?

From: Zhan Xusheng

Date: Mon Jun 22 2026 - 23:38:45 EST


From: Zhan Xusheng <zhanxusheng1024@xxxxxxxxx>

On 2026/6/23, Gao Xiang wrote:
> In short, I saw some similar report from LLMs, but I think
> erofs_shrinker_unregister() should block this from kfree(sbi)
> by design.

Right, that's the part I'd missed: erofs_shrinker_unregister() drains
sbi->managed_pslots (while (!xa_empty(...)) z_erofs_shrink_scan()) in
->put_super before erofs_sb_free(), so the in-flight pcluster keeps sbi
pinned across z_erofs_put_pcluster(). Thanks for the clarification.

Zhan Xusheng