On Tue, Jul 19, 2022 at 03:04:41PM +0100, Lee Jones wrote: > On Wed, 06 Jul 2022, Lee Jones wrote: > > > On Mon, 09 May 2022, Eric Biggers wrote: > > > > > On Mon, May 09, 2022 at 09:17:26PM +0800, Haimin Zhang wrote: > > > > From: Haimin Zhang <tcs_kernel@xxxxxxxxxxx> > > > > > > > > Add a new function call to deinitialize the watch_queue of a freed pipe. > > > > When a pipe node is freed, it doesn't make pipe->watch_queue->pipe null. > > > > Later when function post_one_notification is called, it will use this > > > > field, but it has been freed and watch_queue->pipe is a dangling pointer. > > > > It makes a uaf issue. > > > > Check wqueu->defunct before pipe check since pipe becomes invalid once all > > > > watch queues were cleared. > > > > > > > > Reported-by: TCS Robot <tcs_robot@xxxxxxxxxxx> > > > > Signed-off-by: Haimin Zhang <tcs_kernel@xxxxxxxxxxx> > > > > > > Is this fixing something? If so it should have a "Fixes" tag. > > > > It sure is. > > > > Haimin, are you planning a v3? > > This patch is set to fix a pretty public / important bug. > > Has there been any more activity that I may have missed? > > Perhaps it's been superseded? I think this was already fixed (correctly, unlike the above patch which is very broken) by the following commit: commit 353f7988dd8413c47718f7ca79c030b6fb62cfe5 Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Date: Tue Jul 19 11:09:01 2022 -0700 watchqueue: make sure to serialize 'wqueue->defunct' properly - Eric
