Re: [PATCH -next V3] ubi: fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl

[libaokun (A)]

在 2021/12/24 5:06, Richard Weinberger 写道:
> ----- Ursprüngliche Mail -----
> > Von: "libaokun (A)" <libaokun1@xxxxxxxxxx>
> > 在 2021/11/5 17:30, Baokun Li 写道:
> >
> > ping
> Thanks for your patience.
>   
> > > Hulk Robot reported a KASAN report about use-after-free:
> [...]
>
> > > The cause of this problem is that commit 714fb87e8bc0 make device
> > > "available" before it becomes accessible via sysfs. Therefore, we
> > > roll back the modification. We will fix the race condition between
> > > ubi device creation and udev by removing ubi_get_device in
> > > vol_attribute_show and dev_attribute_show.This avoids accessing
> > > uninitialized ubi_devices[ubi_num].
> > >
> > > ubi_get_device is used to prevent devices from being deleted during
> > > sysfs execution. However, now kernfs ensures that devices will not
> > > be deleted before all reference counting are released.
> > > The key process is shown in the following stack.
> ubi_get_device() in dev_attribute_show() is used to detect whether
> the ubi device got detached while the sysfs file is open.
>
> Hmm. I thought for sysfs this is not the case since sysfs does not implement
> a release() method. So kernfs_drain_open_files() will return early.
> But there is a good chance that I don't got all kernfs/sysfs details.
>
> Thanks,
> //richard
> .

Thank you for your review!

--
With Best Regards,
Baokun Li