[PATCH v3] kernel/watch_queue: Make pipe NULL while clearing watch_queue

Eric Biggers ebiggers at kernel.org
Wed Aug 3 01:16:13 UTC 2022 

On Tue, Aug 02, 2022 at 12:19:05AM +0530, Siddh Raman Pant wrote:
> On Mon, 01 Aug 2022 21:46:42 +0530  Dipanjan Das <mail.dipanjan.das at gmail.com> wrote:
> > Are you referring to the reproducer attached to our original report?
> > https://lore.kernel.org/all/CANX2M5bHye2ZEEhEV6PUj1kYL2KdWYeJtgXw8KZRzwrNpLYz+A@mail.gmail.com/
>  
> Yes, I meant the reproducer you gave.
> 
> I suspect I must have missed CONFIG_WATCH_QUEUE=y while setting the kernel
> up, extremely sorry for it.
> 
> I now tried 5.10.y with it (using a modification of syzkaller's dashboard
> config I had been using[1]), and I'm getting a __post_watch_notification()
> crash (which is a related crash, as the fix[2][3] for that causes the
> reproducer to not reproduce the post_one_notification crash on mainline),
> but not the post_one_notification() crash you had reported. It seems if I
> apply my patch, it doesn't trigger this related crash, so these bugs are
> seem to be very related maybe due to racing? I haven't looked at that yet.
> 
> I then tried on v5.10.131 since that was the exact version you had
> reproduced on, and it reproduces the post_one_notification() error
> successfully. Applying 353f7988dd84 causes __post_watch_notification()
> crash, and then applying this v3 patch does not trigger the issue, but
> the patch to fix __post_watch_notification() crash is [2], which does
> not really address the issue of post_one_notification() crash which
> is due to the dangling reference to a freed pipe.
> 
> Can you please try reproducer at your end?
> 
> Thanks,
> Siddh

There were several watch_queue fixes that got merged in v5.10.134, so there's no
point in testing v5.10.131.  If you're still seeing a bug in the *latest*
5.10.y, then please check whether it's also present upstream.  If yes, then send
out a fix for it.  If no, then tell stable at vger.kernel.org what commit(s) need
to be backported.  Please provide *full* details in each case, including any
KASAN reports or other information that would help people understand the bug.

- Eric

More information about the Linux-security-module-archive mailing list