From: Greg KH <gregkh@linuxfoundation.org>
To: Yu Kuai <yukuai1@huaweicloud.com>
Cc: hch@lst.de, axboe@kernel.dk, willy@infradead.org,
martin.petersen@oracle.com, kch@nvidia.com,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org,
yi.zhang@huawei.com, "yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [PATCH RFC 1/2] kobject: add return value for kobject_put()
Date: Tue, 18 Oct 2022 20:18:01 +0200 [thread overview]
Message-ID: <Y07t2agdfUeujGE/@kroah.com> (raw)
In-Reply-To: <2f962069-8fd9-08df-aa00-062b94569c36@huaweicloud.com>
On Tue, Oct 18, 2022 at 09:12:08PM +0800, Yu Kuai wrote:
>
>
> 在 2022/10/18 21:00, Greg KH 写道:
> > On Tue, Oct 18, 2022 at 09:14:31PM +0800, Yu Kuai wrote:
> > > The return value will be used in later patch to fix uaf for slave_dir
> > > and bd_holder_dir in block layer.
> >
> > Then the user will be incorrect, this is not ok, you should never care
> > if you are the last "put" on an object at all. Hint, what happens right
> > after you call this and get the result?
> >
>
> I tried to reset the pointer to NULL in patch 2 to prevent uaf.
That is not ok, sorry.
> And the
> whole kobject_put() and pointer reset is protected by a mutex, the mutex
> will be used on the reader side before kobject_get as well. So, in fact,
> I'm protecting them by the mutex...
Still not ok. You never know who else has a reference on a kobject,
that's the point of reference counted objects.
> I can bypass it by using another reference anyway. But let's see if
> anyone has suggestions on the other patch.
>
> > sorry, but NAK.
>
> I know the best way is too refactor the lifecycle of the problematic
> bd_holder_dir/slave_dir, however, I gave that up because this seems
> quite complicated and influence is very huge...
Please fix it up properly, core changes like this should not be needed.
thanks,
greg k-h
next prev parent reply other threads:[~2022-10-18 18:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-18 13:14 [PATCH RFC 0/2] block: fix uaf in bd_link_disk_holder() Yu Kuai
2022-10-18 13:14 ` [PATCH RFC 1/2] kobject: add return value for kobject_put() Yu Kuai
2022-10-18 13:00 ` Greg KH
2022-10-18 13:12 ` Yu Kuai
2022-10-18 18:18 ` Greg KH [this message]
2022-10-18 13:14 ` [PATCH RFC 2/2] block: protect slave_dir/bd_holder_dir by open_mutex Yu Kuai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y07t2agdfUeujGE/@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=kch@nvidia.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=willy@infradead.org \
--cc=yi.zhang@huawei.com \
--cc=yukuai1@huaweicloud.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.