Linus Torvalds writes: (Summary) And rather than being about "pipe->bufs[]" array,
it's the pipe pointer itself that seems corrupted, and thus the oops
happens in the account_pipe_buffers() code instead of in the loop over
the buffers.
the buffers.
Of course, both are consistent with that "pipe_inode_info" simply having been overwritten by something else (possibly, but not necessarily, due to a use-after-free).
necessarily, due to a use-after-free).
Actually, I'm looking at *another* error path - the one in named pipes. But named pipes have to have the pipe data associated with a particular inode.
the pipe data associated with a particular inode.
And that code actually does look wrong.
And that code actually does look wrong.
Look at fifo_open(): it increments the pipe->files as it sets filp->private_data to point to the pipe_inode_info.
the buffers.
Of course, both are consistent with that "pipe_inode_info" simply having been overwritten by something else (possibly, but not necessarily, due to a use-after-free).
necessarily, due to a use-after-free).
[...]
and see what it catches...Actually, I'm looking at *another* error path - the one in named pipes. But named pipes have to have the pipe data associated with a particular inode.
the pipe data associated with a particular inode.
And that code actually does look wrong.
And that code actually does look wrong.
Look at fifo_open(): it increments the pipe->files as it sets filp->private_data to point to the pipe_inode_info.