[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACVXFVOKi=wKsLP850XJ95P=e1B2z+CP=t0GATCZL0gNDOCwnA@mail.gmail.com>
Date: Sun, 17 Mar 2013 09:02:09 +0800
From: Ming Lei <tom.leiming@...il.com>
To: Sasha Levin <levinsasha928@...il.com>
Cc: Hillf Danton <dhillf@...il.com>, Dave Jones <davej@...hat.com>,
Greg Kroah-Hartman <greg@...ah.com>,
Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: use after free in sysfs_find_dirent
On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin <levinsasha928@...il.com> wrote:
>
> I don't think it shows what we want it to show thought:
>
> [ 327.416905] Pid: 10504, comm: trinity-child98 Tainted: G W 3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #301
> [ 327.418815] Call Trace:
> [ 327.419255] [<ffffffff812f880e>] release_sysfs_dirent+0x4e/0x120
> [ 327.420595] [<ffffffff812f89d2>] sysfs_dir_pos+0x92/0x130
> [ 327.421608] [<ffffffff812f8b8d>] sysfs_readdir+0x11d/0x280
> [ 327.422562] [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
> [ 327.423441] [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
> [ 327.424314] [<ffffffff8128b3e8>] vfs_readdir+0x78/0xc0
> [ 327.425263] [<ffffffff8128b54c>] SyS_getdents+0x8c/0x110
> [ 327.426173] [<ffffffff83d919d8>] tracesys+0xe1/0xe6
>
Sasha, looks there is a race when sys_readdir() is run concurrently
on same directory, and the below patch may fix the race, could you test the
attachment patch to see if the use after free can be fixed?
Thanks,
--
Ming Lei
Download attachment "sysfs-fix-readdir.patch" of type "application/octet-stream" (1593 bytes)
Powered by blists - more mailing lists