Most recent kernel where this bug did not occur: Distribution:BAS4 Hardware Environment:IA64 Software Environment: Problem Description:If a char device disappear while in use, and a close is attemtped, cdev_put will use the struct cdev after it has been kfreed. cdev_put() calls kobj_put() which will end up calling cdev_dynamic_release (kobject_cleanup does the actual call) when kobj_put() returns, module_put() will use an alredy freed cdev. easy to fix calling module_put() before calling kobj_put() Steps to reproduce:Use slab_debug to demonstrate use after free. configure SG devices and open a fiber channel SG device from a program and wait pull the fiber cable to that device and let the program do the close. the system will crash with a bad pointer in cdev_put due to the memory poisoning from slab_debug.
Created attachment 8699 [details] patch used
Is this a bug in 2.6.17.7 or or 2.6.18-rc3? Old kernels are not very useful to file kernel.org bugs against.
OK I should have checked first. It's fixed in 2.6.17.2