Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp10078022rwb; Fri, 25 Nov 2022 00:19:51 -0800 (PST) X-Google-Smtp-Source: AA0mqf5DkPmMnUUIsBWcz6PqoNsqGfYxAvvu9CWZDuafdnyhB0g7XlQTaZYvGf9FpbHv4X+QsnbI X-Received: by 2002:a17:906:99d3:b0:78d:c7fd:f755 with SMTP id s19-20020a17090699d300b0078dc7fdf755mr15187299ejn.702.1669364391139; Fri, 25 Nov 2022 00:19:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669364391; cv=none; d=google.com; s=arc-20160816; b=TdnPZNU2dvE30br+UHY8lxaZwjJLU2nefNLFcZl/MRmJ/WdpEo2bVHs5ncNa+J7hpp FlpKBTYvFQFMU584ZYWeDSi/cQOqPfXhaNU6jAFQilRNfStYeHNnDhWomjXkYg2UwLlT ULKbMPxr7+r4B805z7yRBJIn9r/N0OgrxqE29BGB0sLT7UVPZbtus8pLJHOqi2O+o4zF vqW6X6Hf1IxWGipFpwqagpVpZ6AaYZuWmQUuxOxLUZ5DyCPg6BQs0amFpskEUp2BnHjM VgfGTK0XX/fZTYlIwm7UtpmFci159CVej3pQB7HEQsCX1EOteLBXj/9pzpdxZZpQkWBs DNqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=B+n9e7uEmSwGX9rBRF4qZw21drQ2WC9wwXipbDkVvhk=; b=A2F0YWNNk2x3l4eLCncLTP6+oNCkaF6CAkMCnLhcs7zHp/rUsfJpF2X/AD3/jSqSAD jt5YCm8R9Tu9VXj6HRYxh9nIAShzn0hHzj5AU2MPQlkOvO68vfoUBroTBY4zWcu4qJFu rAFNbQh9Rnw+m6nmvXSXD0saBw/yT3cakOpEKaLtSa+vbv9PK30BHUJO5ofAOhcH1Iup XjkQvFff0ZIynmXT+zD9boOlssbRkuoTQkCeuVdRBCy8l4jlL1QrSw4J97AA9+1W44Rk oqjkdhRn2J4FkoIMHogD2mjJBW1e5K0/aR6v9aQz1CsxFrksLek9o6bUiRjQ+oaBe1WF zYXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hr40-20020a1709073fa800b007417040d1c5si3016779ejc.823.2022.11.25.00.19.30; Fri, 25 Nov 2022 00:19:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229762AbiKYHw7 (ORCPT + 87 others); Fri, 25 Nov 2022 02:52:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229493AbiKYHw6 (ORCPT ); Fri, 25 Nov 2022 02:52:58 -0500 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC8DC1F2CD; Thu, 24 Nov 2022 23:52:56 -0800 (PST) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4NJRsd0tQ9zmWC2; Fri, 25 Nov 2022 15:52:21 +0800 (CST) Received: from dggpemm500006.china.huawei.com (7.185.36.236) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 25 Nov 2022 15:52:55 +0800 Received: from [10.174.178.55] (10.174.178.55) by dggpemm500006.china.huawei.com (7.185.36.236) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 25 Nov 2022 15:52:54 +0800 Subject: Re: [PATCH] pipe: fix potential use-after-free in pipe_read() To: Al Viro CC: Matthew Wilcox , , , David Howells References: <20221117115323.1718-1-thunder.leizhen@huawei.com> From: "Leizhen (ThunderTown)" Message-ID: <3a38686c-040a-202c-2778-7670a2b3f087@huawei.com> Date: Fri, 25 Nov 2022 15:52:53 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.178.55] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggpemm500006.china.huawei.com (7.185.36.236) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/11/25 14:33, Al Viro wrote: > On Thu, Nov 17, 2022 at 07:53:23PM +0800, Zhen Lei wrote: >> Accessing buf->flags after pipe_buf_release(pipe, buf) is unsafe, because >> the 'buf' memory maybe freed. > > Huh? What are you talking about? > struct pipe_buffer *buf = &pipe->bufs[tail & mask]; > To free *buf you would need to free the entire damn array, which is > obviously not going to be possible here; if you are talking about reuse > of *buf - that's controlled by pipe->tail, and we do not assign it until > later. > > Fetching any fields of *buf is safe; what can get freed is buf->page, not > buf itself. So that buf->flags access is fine. Right. Thank you for explaining clearly. Sorry, I misunderstood in the course of learning. > > . > -- Regards, Zhen Lei