On Sat, May 30, 2026 at 04:51:33PM +0000, John Groves wrote: > From: John Groves <[email protected]> > > This fix is in response to a Sashiko review, and some subsequent > analysis. > > dax_dev_get() uses iget5_locked() which creates a new inode if no > matching one exists. This is correct for the internal caller > (alloc_dax), but dangerous for external callers that look up devices > from user-supplied or metadata-supplied dev_t values: > > 1. A new inode is created with DAXDEV_ALIVE set but no backing driver, > no ops, and no IDA-allocated minor number. > > 2. On teardown, dax_destroy_inode() warns because kill_dax() was never > called, and dax_free_inode() calls ida_free() for a minor that was > never ida_alloc'd -- potentially freeing the minor of a real device. > > Add dax_dev_find() which uses ilookup5() for lookup-only semantics: > it returns an existing dax_device with an elevated inode reference, or > NULL if no device with the given dev_t exists. It never creates inodes. > A dax_alive() check under dax_read_lock() guards against returning a > device that is concurrently being torn down by kill_dax(). > > Make dax_dev_get() static again (internal to super.c for alloc_dax), > export dax_dev_find() instead, and update the two external callers > (famfs_inode.c, famfs.c). Also add the missing CONFIG_DAX=n stub. > > Fixes: 2ae624d5a555d ("dax: export dax_dev_get()") > Signed-off-by: John Groves <[email protected]> > ---
Reviewed-by: Alison Schofield <[email protected]>
