| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Aug 2016 06:16:50 +0100 From: Al Viro <viro@...IV.linux.org.uk> To: Dan Williams <dan.j.williams@...el.com> Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-nvdimm@...ts.01.org Subject: Re: [PATCH] fs/char_dev: fix cdev_put() vs f_op->release() use-after-free On Wed, Aug 10, 2016 at 09:49:22PM -0700, Dan Williams wrote: > Where dax_dev_release() is the f_op->release() method, and is > implemented to simply drop the final references on our driver objects: > > struct dax_dev *dax_dev = filp->private_data; > struct device *dev = dax_dev->dev; > > dev_dbg(dax_dev->dev, "%s\n", __func__); > put_device(dev); > dax_dev_put(dax_dev); > > The dax_dev object embeds a 'struct cdev' which means f_op->release() > may free cdev, so __fput() needs to drop the cdev reference before > calling f_op->release(). NAK. You *can't* free a structure that contains kobj with currently positive refcount. Ever. If you embed a struct kobj into something, you must use the refcount of that kobj (or one of its ancestors) to control the lifetime of containing object. If your dax_dev_put() can trigger freeing of dax_dev despite the still-positive refcount of embedded cdev.kobj, it is fundamentally broken.
Powered by blists - more mailing lists