From: Greg KH <gregkh@linuxfoundation.org>
To: XIAO WU <xiaowu.417@qq.com>
Cc: Li Xiasong <lixiasong1@huawei.com>, Jon Maloy <jmaloy@redhat.com>,
stable@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Ying Xue <ying.xue@windriver.com>,
Tuong Lien <tuong.t.lien@dektech.com.au>,
netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
yuehaibing@huawei.com, zhangchangzhong@huawei.com,
weiyongjun1@huawei.com
Subject: Re: [PATCH net] tipc: restrict socket queue dumps in enqueue tracepoints
Date: Sun, 21 Jun 2026 07:39:24 +0200 [thread overview]
Message-ID: <2026062113-reflex-enforcer-441e@gregkh> (raw)
In-Reply-To: <tencent_EC8B2032C1F9358EA3B49645F0F2277B210A@qq.com>
On Sun, Jun 21, 2026 at 09:21:15AM +0800, XIAO WU wrote:
> Hi Li Xiasong,
>
> I see this patch was merged into net.git as commit acd7df8d9554 — thanks
> for the fix. However, a Sashiko AI code review [1] flagged that
> `tipc_poll()` in the same file has the identical pre-existing issue: it
> calls `trace_tipc_sk_poll()` with `TIPC_DUMP_ALL`, which triggers a dump
> of all socket queues without holding the socket owner lock. The merged
> fix addressed `tipc_sk_enqueue()` but left `tipc_poll()` unchanged.
>
> I was able to reproduce the remaining use-after-free in QEMU with KASAN
> by racing `tipc_poll()` against `tipc_recvmsg()` on the same socket.
Great, can you send a fix for this?
thanks,
greg k-h
prev parent reply other threads:[~2026-06-21 5:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 13:56 [PATCH net] tipc: restrict socket queue dumps in enqueue tracepoints Li Xiasong
2026-06-13 2:34 ` Tung Quang Nguyen
2026-06-13 22:10 ` patchwork-bot+netdevbpf
2026-06-21 1:21 ` XIAO WU
2026-06-21 5:39 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026062113-reflex-enforcer-441e@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jmaloy@redhat.com \
--cc=kuba@kernel.org \
--cc=lixiasong1@huawei.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=tuong.t.lien@dektech.com.au \
--cc=weiyongjun1@huawei.com \
--cc=xiaowu.417@qq.com \
--cc=ying.xue@windriver.com \
--cc=yuehaibing@huawei.com \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.