[Bugme-janitors] [Bug 6958] New: Use after free of a cdev in cdev_put() in char_dev.c

bugme-daemon at bugzilla.kernel.org bugme-daemon at bugzilla.kernel.org
Fri Aug 4 10:11:30 PDT 2006


http://bugzilla.kernel.org/show_bug.cgi?id=6958

           Summary: Use after free of a cdev in cdev_put() in char_dev.c
    Kernel Version: 2.6.12.6
            Status: NEW
          Severity: normal
             Owner: fs_other at kernel-bugs.osdl.org
         Submitter: philippe.bauwens at bull.com


Most recent kernel where this bug did not occur:
Distribution:BAS4
Hardware Environment:IA64 
Software Environment:
Problem Description:If a char device disappear while in use, and a close is 
attemtped, cdev_put will use the struct cdev after it has been kfreed.

cdev_put() calls kobj_put() which will end up calling  cdev_dynamic_release 
(kobject_cleanup does the actual call)
when kobj_put() returns, module_put() will use an alredy freed cdev. 

easy to fix calling module_put() before calling kobj_put()

Steps to reproduce:Use slab_debug to demonstrate use after free.
configure SG devices and open a fiber channel SG device from a program and wait
pull the fiber cable to that device and let the program do the close.
the system will crash with a bad pointer in cdev_put due to the memory 
poisoning from slab_debug.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the Bugme-janitors mailing list