Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1763127rdh;
        Tue, 26 Sep 2023 02:52:42 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFpqfML6un71nyawbrUnQkKxyJH2q7J9q2sCNbxwxp1/EfRBPiBkA3eqEG9Jd69PUh4iFhf
X-Received: by 2002:a05:6a20:938e:b0:153:8754:8a7e with SMTP id x14-20020a056a20938e00b0015387548a7emr11415349pzh.3.1695721962360;
        Tue, 26 Sep 2023 02:52:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695721962; cv=none;
        d=google.com; s=arc-20160816;
        b=s9pWEsaITdHtElT+myyRc3ElpnAyBlenwfxD0+iz7OxoflKS6PeFpzOfmSVOw4KyGV
         gHvZDsr/miMd2NMQ6p6Lz7Eg/4PGvejzC4/UV04hErpKYJiSpeFE0Zs4qtoLMqYLjc8t
         TZCzz1qGodlIHws4vOGP9i04EmXIII0rff0kDTcjf3krZAsN9qIL2Bfo7Hf2DHJkpfN2
         fTPU8IlBz2sQoTJAyhImst5MZ+a/wv9iccbkRyA8t0J1VZZcgt1V7lZOwMjhc92WZkOb
         KmG+vVXytRbTaHeUbUd+weDz4292694/eIIlfqh16QNLiLguZYjYWYy/wNxRkS6ANLRh
         TvIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=s2bUS3KntiQf2kbt1yor67uUzjcGDqX852PKv95JDik=;
        fh=RK7GzIFFkYY99fnIMxJOGb9qRXb72JsJsrXK5g4s5YQ=;
        b=FXaQklco62EElNMUHAoxBrYjBjD/dVVHQO62/CM6e5rniSt96viyfimiVTEhEpM1S3
         H8iZMG6v105KYaycrgE9mqMg1HubyPw3qflH3EqxN2obtKL/vWCGS9JZs7VeXU21DOYM
         gU+fUDzOf8OeM5nmXUutOK1UUsEHiH/1sg0BXh6i1CyNXpwfDx6KHL3S9LVGzJUpe3qg
         mY7exjZTJYnQXLtTFKxvnrJU155gWo2KsRyiVK1vOIhjKUx/nYpNInJiUS0lU3THVjJN
         b22jquMH61ESsSmqgw8Pawz6vM0mAEGQOHqfhbrtebEZ7t6906Xnp52MtJOMuqqBx3cj
         +icQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id cn1-20020a056a020a8100b0057776b67494si11724555pgb.887.2023.09.26.02.52.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Sep 2023 02:52:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 7D3F080E06AF;
	Tue, 26 Sep 2023 02:38:52 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234271AbjIZJiu (ORCPT <rfc822;bharatb.linux@gmail.com>
        + 99 others); Tue, 26 Sep 2023 05:38:50 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49224 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234260AbjIZJiq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Sep 2023 05:38:46 -0400
Received: from verein.lst.de (verein.lst.de [213.95.11.211])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E96EF3;
        Tue, 26 Sep 2023 02:38:39 -0700 (PDT)
Received: by verein.lst.de (Postfix, from userid 2407)
        id B018168AA6; Tue, 26 Sep 2023 11:38:34 +0200 (CEST)
Date:   Tue, 26 Sep 2023 11:38:34 +0200
From:   Christoph Hellwig <hch@lst.de>
To:     Al Viro <viro@zeniv.linux.org.uk>
Cc:     Christoph Hellwig <hch@lst.de>,
        Christian Brauner <brauner@kernel.org>,
        Heiko Carstens <hca@linux.ibm.com>,
        Vasily Gorbik <gor@linux.ibm.com>,
        Alexander Gordeev <agordeev@linux.ibm.com>,
        Fenghua Yu <fenghua.yu@intel.com>,
        Reinette Chatre <reinette.chatre@intel.com>,
        Miquel Raynal <miquel.raynal@bootlin.com>,
        Richard Weinberger <richard@nod.at>,
        Vignesh Raghavendra <vigneshr@ti.com>,
        Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
        Tejun Heo <tj@kernel.org>,
        Trond Myklebust <trond.myklebust@hammerspace.com>,
        Anna Schumaker <anna@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Damien Le Moal <dlemoal@kernel.org>,
        Naohiro Aota <naohiro.aota@wdc.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-s390@vger.kernel.org, linux-rdma@vger.kernel.org,
        linux-nfs@vger.kernel.org, linux-hardening@vger.kernel.org,
        cgroups@vger.kernel.org
Subject: Re: [PATCH 03/19] fs: release anon dev_t in deactivate_locked_super
Message-ID: <20230926093834.GB13806@lst.de>
References: <20230913111013.77623-1-hch@lst.de> <20230913111013.77623-4-hch@lst.de> <20230913232712.GC800259@ZenIV>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230913232712.GC800259@ZenIV>
User-Agent: Mutt/1.5.17 (2007-11-01)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 26 Sep 2023 02:38:52 -0700 (PDT)

On Thu, Sep 14, 2023 at 12:27:12AM +0100, Al Viro wrote:
> On Wed, Sep 13, 2023 at 08:09:57AM -0300, Christoph Hellwig wrote:
> > Releasing an anon dev_t is a very common thing when freeing a
> > super_block, as that's done for basically any not block based file
> > system (modulo the odd mtd special case).  So instead of requiring
> > a special ->kill_sb helper and a lot of boilerplate in more complicated
> > file systems, just release the anon dev_t in deactivate_locked_super if
> > the super_block was using one.
> > 
> > As the freeing is done after the main call to kill_super_notify, this
> > removes the need for having two slightly different call sites for it.
> 
> Huh?  At this stage in your series freeing is still in ->kill_sb()
> instances, after the calls of kill_anon_super() you've turned into
> the calls of generic_shutdown_super().

The above refers to freeing the anon dev_t, which at this stage is done
right after the kill_super_notify in generic_shutdown_super.

> You do split it off into a separate method later in the series, but
> at this point you are reopening the same UAF that had been dealt with
> in dc3216b14160 "super: ensure valid info".

How?

Old sequence before his patch:

	deactivate_locked_super()
	  -> kill_anon_super()
	    -> generic_shutdown_super()
	    -> kill_super_notify()
	    -> free_anon_bdev()
	  -> kill_super_notify()

New sequence with this patch:

	deactivate_locked_super()
	  -> generic_shutdown_super()
	    -> kill_super_notify()
	    -> free_anon_bdev()