review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Siddh Raman Pant <code@siddh.me>
	Mon, 5 Jun 2023 14:36:16 +0000 (20:06 +0530)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 19 Jul 2023 14:22:10 +0000 (16:22 +0200)
commit	219a9ec09dd1aef3514b7b9e2030e1d0e804b38c
tree	677e236d0fad9174ab15b5a227626345ac0f4641	tree \| snapshot
parent	7ecea5ce3dc17339c280c75b58ac93d8c8620d9f	commit \| diff

watch_queue: prevent dangling pipe pointer

commit 943211c87427f25bd22e0e63849fb486bb5f87fa upstream.

NULL the dangling pipe reference while clearing watch_queue.

If not done, a reference to a freed pipe remains in the watch_queue,
as this function is called before freeing a pipe in free_pipe_info()
(see line 834 of fs/pipe.c).

The sole use of wqueue->defunct is for checking if the watch queue has
been cleared, but wqueue->pipe is also NULLed while clearing.

Thus, wqueue->defunct is superfluous, as wqueue->pipe can be checked
for NULL. Hence, the former can be removed.

Tested with keyutils testsuite.

Cc: stable@vger.kernel.org # 6.1
Signed-off-by: Siddh Raman Pant <code@siddh.me>
Acked-by: David Howells <dhowells@redhat.com>
Message-Id: <20230605143616.640517-1-code@siddh.me>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/linux/watch_queue.h		diff \| blob \| history
kernel/watch_queue.c		diff \| blob \| history