[Bugme-janitors] [Bug 6958] New: Use after free of a cdev in
cdev_put() in char_dev.c
bugme-daemon at bugzilla.kernel.org
bugme-daemon at bugzilla.kernel.org
Fri Aug 4 10:11:30 PDT 2006
http://bugzilla.kernel.org/show_bug.cgi?id=6958
Summary: Use after free of a cdev in cdev_put() in char_dev.c
Kernel Version: 2.6.12.6
Status: NEW
Severity: normal
Owner: fs_other at kernel-bugs.osdl.org
Submitter: philippe.bauwens at bull.com
Most recent kernel where this bug did not occur:
Distribution:BAS4
Hardware Environment:IA64
Software Environment:
Problem Description:If a char device disappear while in use, and a close is
attemtped, cdev_put will use the struct cdev after it has been kfreed.
cdev_put() calls kobj_put() which will end up calling cdev_dynamic_release
(kobject_cleanup does the actual call)
when kobj_put() returns, module_put() will use an alredy freed cdev.
easy to fix calling module_put() before calling kobj_put()
Steps to reproduce:Use slab_debug to demonstrate use after free.
configure SG devices and open a fiber channel SG device from a program and wait
pull the fiber cable to that device and let the program do the close.
the system will crash with a bad pointer in cdev_put due to the memory
poisoning from slab_debug.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the Bugme-janitors
mailing list