Re: 回复: [PATCH] io-wq: Fix UAF when wakeup wqe in hash waitqueue

From: Pavel Begunkov
Date: Mon May 24 2021 - 06:19:11 EST

Next message: Andy Shevchenko: "Re: [PATCH v3 4/6] mfd: Add RTL8231 core device"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] debugfs: remove return value of debugfs_create_bool()"
In reply to: Zhang, Qiang: "回复: 回复: [PATCH] io-wq: Fix UAF when wakeup wqe in hash waitqueue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/24/21 10:19 AM, Zhang, Qiang wrote:
> On Mon, 24 May 2021 15:18:44 +0800
>> From: Zqiang <qiang.zhang@xxxxxxxxxxxxx>
>>
>> The syzbot report a UAF when iou-wrk accessing wqe of the hash
>> waitqueue. in the case of sharing a hash waitqueue between two
>> io-wq, when one of the io-wq is destroyed, all iou-wrk in this
>> io-wq are awakened, all wqe belonging to this io-wq are removed
>> from hash waitqueue, after that, all iou-wrk belonging to this
>> io-wq begin running, suppose following scenarios, wqe[0] and wqe[1]
>> belong to this io-wq, and these work has same hash value.

Zhang, btw check your mail encoding, should some plain unicode

--
Pavel Begunkov

Next message: Andy Shevchenko: "Re: [PATCH v3 4/6] mfd: Add RTL8231 core device"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] debugfs: remove return value of debugfs_create_bool()"
In reply to: Zhang, Qiang: "回复: 回复: [PATCH] io-wq: Fix UAF when wakeup wqe in hash waitqueue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]