Re: [PATCH] fs/aio: fix uaf in sys_io_cancel

From: Bart Van Assche
Date: Mon Mar 04 2024 - 12:40:47 EST

Next message: T.J. Mercier: "Re: [PATCH v4 1/2] selftests/dmabuf-heap: conform test to TAP format output"
Previous message: Kees Cook: "Re: [PATCH] usercopy: delete __noreturn from usercopy_abort"
In reply to: Benjamin LaHaise: "Re: [PATCH] fs/aio: fix uaf in sys_io_cancel"
Next in thread: Benjamin LaHaise: "Re: [PATCH] fs/aio: fix uaf in sys_io_cancel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/4/24 09:31, Benjamin LaHaise wrote:

A revert is justified when a series of patches is buggy and had
insufficient review prior to merging.

That's not how Linux kernel development works. If a bug can get fixed
easily, a fix is preferred instead of reverting + reapplying a patch.

Using the "a kernel warning hit" approach for work on cancellation is
very much a sign that the patches were half baked.

Is there perhaps a misunderstanding? My patches fix a kernel warning and
did not introduce any new WARN*() statements.

Why are you touching the kiocb after ownership has already been
passed on to another entity?

Touching the kiocb after ownership has been passed is the result of an
oversight. Whether or not kiocb->ki_cancel() transfers ownership depends
on the I/O type. The use-after-free was not introduced on purpose.

Bart.

Next message: T.J. Mercier: "Re: [PATCH v4 1/2] selftests/dmabuf-heap: conform test to TAP format output"
Previous message: Kees Cook: "Re: [PATCH] usercopy: delete __noreturn from usercopy_abort"
In reply to: Benjamin LaHaise: "Re: [PATCH] fs/aio: fix uaf in sys_io_cancel"
Next in thread: Benjamin LaHaise: "Re: [PATCH] fs/aio: fix uaf in sys_io_cancel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]