Bug 6958 - Use after free of a cdev in cdev_put() in char_dev.c
Summary: Use after free of a cdev in cdev_put() in char_dev.c
Status: CLOSED PATCH_ALREADY_AVAILABLE
Alias: None
Product: File System
Classification: Unclassified
Component: Other (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: fs_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-04 10:06 UTC by Philippe Bauwens
Modified: 2006-08-04 12:04 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.12.6
Subsystem:
Regression: ---
Bisected commit-id:

Attachments
patch used (343 bytes, patch)
2006-08-04 10:08 UTC, Philippe Bauwens 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Philippe Bauwens 2006-08-04 10:06:25 UTC 
Most recent kernel where this bug did not occur:
Distribution:BAS4
Hardware Environment:IA64 
Software Environment:
Problem Description:If a char device disappear while in use, and a close is 
attemtped, cdev_put will use the struct cdev after it has been kfreed.

cdev_put() calls kobj_put() which will end up calling  cdev_dynamic_release 
(kobject_cleanup does the actual call)
when kobj_put() returns, module_put() will use an alredy freed cdev. 

easy to fix calling module_put() before calling kobj_put()

Steps to reproduce:Use slab_debug to demonstrate use after free.
configure SG devices and open a fiber channel SG device from a program and wait
pull the fiber cable to that device and let the program do the close.
the system will crash with a bad pointer in cdev_put due to the memory 
poisoning from slab_debug.
Comment 1 Philippe Bauwens 2006-08-04 10:08:55 UTC 
Created attachment 8699 [details]
patch used
Comment 2 Nishanth Aravamudan 2006-08-04 10:15:22 UTC 
Is this a bug in 2.6.17.7 or or 2.6.18-rc3? Old kernels are not very useful to
file kernel.org bugs against.
Comment 3 Philippe Bauwens 2006-08-04 10:31:37 UTC 
OK I should have checked first. It's fixed in 2.6.17.2
Note You need to log in before you can comment on or make changes to this bug.