Re: [syzbot] KASAN: use-after-free Read in post_one_notification

From: Siddh Raman Pant
Date: Wed Aug 03 2022 - 00:05:02 EST

Next message: Eric Biggers: "Re: [syzbot] KASAN: use-after-free Read in post_one_notification"
Previous message: Siddh Raman Pant: "Re: [PATCH v3] kernel/watch_queue: Make pipe NULL while clearing watch_queue"
In reply to: Eric Biggers: "Re: [syzbot] KASAN: use-after-free Read in post_one_notification"
Next in thread: Eric Biggers: "Re: [syzbot] KASAN: use-after-free Read in post_one_notification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 03 Aug 2022 03:57:19 +0530 Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> It appears this was already fixed, so no need for any more activity on this bug:
>
> #syz fix: watchqueue: make sure to serialize 'wqueue->defunct' properly
>
> - Eric

It doesn't address the dangling pointer remaining in the watch_queue,
which was the root cause of this crash. The use-after-free happened
because the pipe was freed but a dangling pointer of it remained in
a watch_queue, and an attempt to dereference it was there.

Thanks,
Siddh

Next message: Eric Biggers: "Re: [syzbot] KASAN: use-after-free Read in post_one_notification"
Previous message: Siddh Raman Pant: "Re: [PATCH v3] kernel/watch_queue: Make pipe NULL while clearing watch_queue"
In reply to: Eric Biggers: "Re: [syzbot] KASAN: use-after-free Read in post_one_notification"
Next in thread: Eric Biggers: "Re: [syzbot] KASAN: use-after-free Read in post_one_notification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]