Bug 6958

Summary: Use after free of a cdev in cdev_put() in char_dev.c
Product: File System Reporter: Philippe Bauwens (philippe.bauwens)
Component: OtherAssignee: fs_other
Status: CLOSED PATCH_ALREADY_AVAILABLE    
Severity: normal CC: nacc
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.12.6 Subsystem:
Regression: --- Bisected commit-id:
Attachments: patch used

Description Philippe Bauwens 2006-08-04 10:06:25 UTC 
Most recent kernel where this bug did not occur:
Distribution:BAS4
Hardware Environment:IA64 
Software Environment:
Problem Description:If a char device disappear while in use, and a close is 
attemtped, cdev_put will use the struct cdev after it has been kfreed.

cdev_put() calls kobj_put() which will end up calling  cdev_dynamic_release 
(kobject_cleanup does the actual call)
when kobj_put() returns, module_put() will use an alredy freed cdev. 

easy to fix calling module_put() before calling kobj_put()

Steps to reproduce:Use slab_debug to demonstrate use after free.
configure SG devices and open a fiber channel SG device from a program and wait
pull the fiber cable to that device and let the program do the close.
the system will crash with a bad pointer in cdev_put due to the memory 
poisoning from slab_debug.
Comment 1 Philippe Bauwens 2006-08-04 10:08:55 UTC 
Created attachment 8699 [details]
patch used
Comment 2 Nishanth Aravamudan 2006-08-04 10:15:22 UTC 
Is this a bug in 2.6.17.7 or or 2.6.18-rc3? Old kernels are not very useful to
file kernel.org bugs against.
Comment 3 Philippe Bauwens 2006-08-04 10:31:37 UTC 
OK I should have checked first. It's fixed in 2.6.17.2