Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp1852444imi; Sat, 23 Jul 2022 21:09:21 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vvIs+yYz4Oyq3URwdwGua5Pj9mujkTpmxbyU8TyEDjRU9aowp5U2SdUVbVPDFYejB6Oe35 X-Received: by 2002:a17:902:b944:b0:16c:c6e4:e44b with SMTP id h4-20020a170902b94400b0016cc6e4e44bmr6785217pls.117.1658635761647; Sat, 23 Jul 2022 21:09:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1658635761; cv=pass; d=google.com; s=arc-20160816; b=Xu8WOpr0M+QU1rypBhaTktAUC1QA9l7zpsGmKfk+aly0MRJp1fJD5913AT5rhZImFS v63ViRj+Wy1evx+om9KraHLkGDxG/HOyoZazhY4f+0ew31Tnty9T5C6l5gS6oSR8XqBu g0scGCzlYIH83wBheuT8Lpbp1EhK5VtClQSs/3U0VWRTDqFchag5hrbe2+kvjvR7EkGK 6uUL/RBl2XxTco2LYLyJHC1KAOcolUiI0QRAH+ZgCq1Zhc8R2WE8347yxlHMKHi0u653 0l1PLuFePq77u6892FZ8FQIta1wiLmD220b/NtZFVzLJZh/6H7bvZwO4I1D6iE+wrELF uJiA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version:date :subject:message-id:cc:to:from:dkim-signature; bh=TMFu4Xh2KHJwOUP3iMlwZuM/07pSct/fqhxURPId8fc=; b=kL/FbZls6NAfEueCuvNIb1XjqWQFEWR3J81WxPU3IqZ9SNF5XkiUgauWt0uG5k7AAJ hSVlYgxjEd7lWMkcH6uPCLUZIvXjWriA2cxuCPAiTRLX1sDDhUdgGbRHTDBk6/ClD6Yu V2NjPwh12fr2YuDJQPWztvxPXia+TY0IR3mgaVxZ2hGHhg/iaJ1UpvDG1hcijxKBHlZ7 StLv6mwelZIyrNvbHH4R4vcGFCAVVLfdErYsDHs0fbMwTCLA59cRoz0hlKOltlVOmklD D1Y40SEXWZCkPmXGpoe+N/LUaUCYc76Ai6VNhGBEZFT2n0QlAXNYeKn77pPajuaa8ErD oG1Q== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=bxpYFGMy; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siddh.me Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g15-20020a63564f000000b00415d3c03929si9610616pgm.725.2022.07.23.21.09.06; Sat, 23 Jul 2022 21:09:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@siddh.me header.s=zmail header.b=bxpYFGMy; arc=pass (i=1 spf=pass spfdomain=siddh.me dkim=pass dkdomain=siddh.me dmarc=pass fromdomain=siddh.me>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siddh.me Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232975AbiGXED3 (ORCPT + 99 others); Sun, 24 Jul 2022 00:03:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231558AbiGXEDZ (ORCPT ); Sun, 24 Jul 2022 00:03:25 -0400 Received: from sender-of-o53.zoho.in (sender-of-o53.zoho.in [103.117.158.53]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2301E11448; Sat, 23 Jul 2022 21:03:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658635380; cv=none; d=zohomail.in; s=zohoarc; b=DhRurrNjLT/jQinVOHTAyXsUJ7ZU8B/aR5hHDGwSQxE1atVfIxwiP0i+/z5KJyHzh3qROgquK81vwvs9Af+nbI+va5hmlRfttAwEehgwHS/v31tN8DN44wYKkoJpyx1IiF9AXmGVokPH0lNAe1VfIlFjIXzuz8AJMdP8Ijb642g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.in; s=zohoarc; t=1658635380; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=TMFu4Xh2KHJwOUP3iMlwZuM/07pSct/fqhxURPId8fc=; b=ONpmwPnUmJOAPFI/U2ChDZS04c452xrBAK4YbW7WCfrO8CttpCa6dDpCaIvRJRCl0Ejvz/7Pjl3srhWrq6K6TZBev1U1PZy/tMeLcOQpqJjO7KzUjhaG14YNDkusYzHIxPNv/IMZlyrl6dP2mRuNN/onTweEX2lqMB1d9GudDE8= ARC-Authentication-Results: i=1; mx.zohomail.in; dkim=pass header.i=siddh.me; spf=pass smtp.mailfrom=code@siddh.me; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1658635380; s=zmail; d=siddh.me; i=code@siddh.me; h=From:From:To:To:Cc:Cc:Message-ID:Subject:Subject:Date:Date:MIME-Version:Content-Transfer-Encoding:Content-Type:Message-Id:Reply-To; bh=TMFu4Xh2KHJwOUP3iMlwZuM/07pSct/fqhxURPId8fc=; b=bxpYFGMyphYOJFFsmVcBBjJnT5AjoSTfZgk3A3gRfmBYS9QQffMMYjDP948l+p9x AdMD4wJH2VNpH+mT/TafXHNCYOoA/BiOnczy9wphvM+04UBQ9KNQoS61APf4OviMyom 3Axl6X7OUZXqJYXEvOlsSVYsINg+aSJo1wr+U8wU= Received: from localhost.localdomain (43.250.158.127 [43.250.158.127]) by mx.zoho.in with SMTPS id 1658635379700905.0525639502093; Sun, 24 Jul 2022 09:32:59 +0530 (IST) From: Siddh Raman Pant To: David Howells , Christophe JAILLET , Eric Dumazet , "Fabio M. De Francesco" Cc: linux-security-modules , linux-kernel , linux-kernel-mentees , syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.com Message-ID: <20220724040240.7842-1-code@siddh.me> Subject: [PATCH v2] kernel/watch_queue: Make pipe NULL while clearing watch_queue Date: Sun, 24 Jul 2022 09:32:40 +0530 X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Content-Type: text/plain; charset=utf8 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,URIBL_RED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If not done, a reference to a freed pipe remains in the watch_queue, as this function is called before freeing a pipe in free_pipe_info() (see line 834 of fs/pipe.c). This causes a UAF when post_one_notification tries to access the pipe on a key update, which is reported by syzbot. Bug report: https://syzkaller.appspot.com/bug?id=3D1870dd7791ba05f2ea7f47f7= cbdde701173973fc Reported-and-tested-by: syzbot+c70d87ac1d001f29a058@syzkaller.appspotmail.c= om Signed-off-by: Siddh Raman Pant --- Changes since v1: - Removed the superfluous ifdef guard. kernel/watch_queue.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c index bb9962b33f95..0357e5c6cf18 100644 --- a/kernel/watch_queue.c +++ b/kernel/watch_queue.c @@ -637,8 +637,15 @@ void watch_queue_clear(struct watch_queue *wqueue) =09=09spin_lock_bh(&wqueue->lock); =09} =20 -=09spin_unlock_bh(&wqueue->lock); =09rcu_read_unlock(); + +=09/* Clearing the watch queue, so we should clean the associated pipe. */ +=09if (wqueue->pipe) { +=09=09wqueue->pipe->watch_queue =3D NULL; +=09=09wqueue->pipe =3D NULL; +=09} + +=09spin_unlock_bh(&wqueue->lock); } =20 /** --=20 2.35.1