On 5/24/21 10:19 AM, Zhang, Qiang wrote: > On Mon, 24 May 2021 15:18:44 +0800 >> From: Zqiang <qiang.zhang@xxxxxxxxxxxxx> >> >> The syzbot report a UAF when iou-wrk accessing wqe of the hash >> waitqueue. in the case of sharing a hash waitqueue between two >> io-wq, when one of the io-wq is destroyed, all iou-wrk in this >> io-wq are awakened, all wqe belonging to this io-wq are removed >> from hash waitqueue, after that, all iou-wrk belonging to this >> io-wq begin running, suppose following scenarios, wqe[0] and wqe[1] >> belong to this io-wq, and these work has same hash value. Zhang, btw check your mail encoding, should some plain unicode -- Pavel Begunkov
