[PATCH 1/2] ubi: block: Fix use-after-free of gendisk
Christoph Hellwig
hch at infradead.org
Tue May 23 22:58:09 PDT 2023
On Tue, May 23, 2023 at 03:12:16PM +0200, Vincent Whitchurch wrote:
> static void ubiblock_cleanup(struct ubiblock *dev)
> {
> + int first_minor = dev->gd->first_minor;
> +
> /* Stop new requests to arrive */
> del_gendisk(dev->gd);
> /* Finally destroy the blk queue */
> dev_info(disk_to_dev(dev->gd), "released");
> put_disk(dev->gd);
> blk_mq_free_tag_set(&dev->tag_set);
> - idr_remove(&ubiblock_minor_idr, dev->gd->first_minor);
> + idr_remove(&ubiblock_minor_idr, first_minor);
I think the real fix here is to implement the free_disk method
and free the idr there. That ensures the ID can't be reused until
the disk is entirely freed as well.
More information about the linux-mtd
mailing list