Re: erofs: is z_erofs_put_pcluster()'s sbi access in the same UAF window as 1aee05e814d2?

Next message: Peng Fan: "Re: [PATCH 3/9] firmware: imx: ele: Add API functions for OCOTP fuse access"
Previous message: Pengpeng Hou: "[PATCH net] net: bcmgenet: report MDIO busy timeout"
In reply to: Zhan Xusheng: "Re: erofs: is z_erofs_put_pcluster()'s sbi access in the same UAF window as 1aee05e814d2?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Gao Xiang

Date: Tue Jun 23 2026 - 02:16:36 EST

On 2026/6/23 11:38, Zhan Xusheng wrote:

From: Zhan Xusheng <zhanxusheng1024@xxxxxxxxx>

On 2026/6/23, Gao Xiang wrote:

In short, I saw some similar report from LLMs, but I think
erofs_shrinker_unregister() should block this from kfree(sbi)
by design.

Right, that's the part I'd missed: erofs_shrinker_unregister() drains
sbi->managed_pslots (while (!xa_empty(...)) z_erofs_shrink_scan()) in
->put_super before erofs_sb_free(), so the in-flight pcluster keeps sbi
pinned across z_erofs_put_pcluster(). Thanks for the clarification.

Yes, that is what I meant, also I found usually LLMs could
miss some details by chance, so IMHO we'd better to check
manually again.

Thanks,
Gao Xiang

Zhan Xusheng