Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp3917373rdb;
        Thu, 14 Sep 2023 06:46:14 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEwcOef8lWrrq5YdV0smDxWDIjbsauMxiENoGKm16SzCaY4znjg6bDeKFCBN9SWAtephJyp
X-Received: by 2002:a17:90a:d48a:b0:26f:b228:faef with SMTP id s10-20020a17090ad48a00b0026fb228faefmr2832642pju.8.1694699174062;
        Thu, 14 Sep 2023 06:46:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694699174; cv=none;
        d=google.com; s=arc-20160816;
        b=rtSLTpAbua3Jmpos1UzE4aq/oJXMYnME9J4mCdobgrxEKptYVgkKcIjKDOgm6e/RfF
         E/vk+9c6H5GARTCVyba5n/9ZtzSiEz253LvqOhaMn2erV3oedSj3R3bsfs+/aOI0/6P1
         7Yb/HRLJ5cZm6CdiX5a+hSqoiOVmF+aMmQzeww+a1X3PSV+ODeSCcFDaRKqU5ce0cYDp
         glpSqgSUYoPYUpmpdE1OCTRHEpvtkkHnlOfgdsMSnBu4GKonHvBv6pkergnkqQDuheCC
         y+lCdWzRseBs/rxjBWumN7XgMzEn7upmoQySwyS0EIj77as2IfWfT56WgO8swdsohShl
         nnOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=Fs/ieUOzEj1DJJnuPdJynyuGwhVwUzz6eMOmGXh2XPQ=;
        fh=ggAtyYCLjQC+aEaWV6nS5QgUNtsrjVB3JQO9PZCF1so=;
        b=dhUxGzS0TUI/XfgN92XOc3et7HRtP55cCmWBg50nIplZDOQdOmC4tpK96SdN5e7UjC
         W5Pbs3EtPzk8Z1u/r1Amk0OMZgD+Ysbof1AIvS+wQT8UcGzPVrYBJEhgwuSSofMAopY9
         xoRIVI0LCoXSlApY344NTJsqGFK1HzuK3VpaxyLr8b0obBnFCDc0buotcGkKA9PFHuHc
         nov1jpslp4Q2G2TXDewGfOcHwq5Xgu+8GqynZkCckrJnhBnXkFwvt9GDIQ3bDWHOesxh
         rbNK70BAthpu7gPQKS9ZtTZf72w/1b28JHZjc7U6SUWXc53aJGE2toi+i5okHmKoR4jF
         WHZg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=vBih36Pv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [23.128.96.37])
        by mx.google.com with ESMTPS id hg17-20020a17090b301100b00271a1895130si1676632pjb.119.2023.09.14.06.46.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 14 Sep 2023 06:46:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=vBih36Pv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 076CE818F686;
	Wed, 13 Sep 2023 19:37:24 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233900AbjINChZ (ORCPT <rfc822;benbjiang@gmail.com> + 99 others);
        Wed, 13 Sep 2023 22:37:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32850 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230121AbjINChY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Sep 2023 22:37:24 -0400
Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6CC711AD;
        Wed, 13 Sep 2023 19:37:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type:
        MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description;
        bh=Fs/ieUOzEj1DJJnuPdJynyuGwhVwUzz6eMOmGXh2XPQ=; b=vBih36PvMGvnigKKwMXXuftKUm
        bYcVHZyAzBZCyqMevOmqSWtLZg2ga4FS6u6ULYpQO3TNkDQU6H93nz4MSoC8eE9AXX8WAxQ4wHrxI
        fBC9SZ2pPwXrA4yp0O4VXrx6YaQWlugot2bohWBlp9zlxPblr/FiBvD8vO3bfw5d6dP2zseW3jz1V
        m2Gh9lj+iFNTDfhyCT+Of+gfxYQZwXh4TqAJfw+oct0OfwY3azttfnGHHFxgpMMtGFo6KvTNh+i5H
        lTWX/TJIRrRMQdcGH3EwRli2Jq6Q+HGtL2uJYF2BQDL8jgKjpYninzye6ZXaw6y/iFEpUxfTTJv5+
        NZajqC7w==;
Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux))
        id 1qgcE5-005tvI-16;
        Thu, 14 Sep 2023 02:37:05 +0000
Date:   Thu, 14 Sep 2023 03:37:05 +0100
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Christoph Hellwig <hch@lst.de>
Cc:     Christian Brauner <brauner@kernel.org>,
        Heiko Carstens <hca@linux.ibm.com>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Alexander Gordeev <agordeev@linux.ibm.com>,
        Fenghua Yu <fenghua.yu@intel.com>,
        Reinette Chatre <reinette.chatre@intel.com>,
        Miquel Raynal <miquel.raynal@bootlin.com>,
        Richard Weinberger <richard@nod.at>,
        Vignesh Raghavendra <vigneshr@ti.com>,
        Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
        Tejun Heo <tj@kernel.org>,
        Trond Myklebust <trond.myklebust@hammerspace.com>,
        Anna Schumaker <anna@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Damien Le Moal <dlemoal@kernel.org>,
        Naohiro Aota <naohiro.aota@wdc.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-s390@vger.kernel.org, linux-rdma@vger.kernel.org,
        linux-nfs@vger.kernel.org, linux-hardening@vger.kernel.org,
        cgroups@vger.kernel.org
Subject: Re: [PATCH 03/19] fs: release anon dev_t in deactivate_locked_super
Message-ID: <20230914023705.GH800259@ZenIV>
References: <20230913111013.77623-1-hch@lst.de>
 <20230913111013.77623-4-hch@lst.de>
 <20230913232712.GC800259@ZenIV>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230913232712.GC800259@ZenIV>
Sender: Al Viro <viro@ftp.linux.org.uk>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 13 Sep 2023 19:37:24 -0700 (PDT)

On Thu, Sep 14, 2023 at 12:27:12AM +0100, Al Viro wrote:
> On Wed, Sep 13, 2023 at 08:09:57AM -0300, Christoph Hellwig wrote:
> > Releasing an anon dev_t is a very common thing when freeing a
> > super_block, as that's done for basically any not block based file
> > system (modulo the odd mtd special case).  So instead of requiring
> > a special ->kill_sb helper and a lot of boilerplate in more complicated
> > file systems, just release the anon dev_t in deactivate_locked_super if
> > the super_block was using one.
> > 
> > As the freeing is done after the main call to kill_super_notify, this
> > removes the need for having two slightly different call sites for it.
> 
> Huh?  At this stage in your series freeing is still in ->kill_sb()
> instances, after the calls of kill_anon_super() you've turned into
> the calls of generic_shutdown_super().
> 
> You do split it off into a separate method later in the series, but
> at this point you are reopening the same UAF that had been dealt with
> in dc3216b14160 "super: ensure valid info".
> 
> Either move the introduction of ->free_sb() before that one, or
> split it into lifting put_anon_bdev() (left here) and getting rid
> of kill_anon_super() (after ->free_sb() introduction).

Actually, looking at the final stage in the series, you still have
kill_super_notify() done *AFTER* ->free_sb() call.  So the problem
persists until the very end...