From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
To: Dave Jones <davej@redhat.com>, Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: weird use-after-free bug in module_put
Date: Fri, 19 Oct 2012 09:33:18 -0700 [thread overview]
Message-ID: <20121019163318.GA2152@core.coreip.homeip.net> (raw)
In-Reply-To: <20121019153452.GB1532@redhat.com>
Hi Dave,
On Fri, Oct 19, 2012 at 11:34:52AM -0400, Dave Jones wrote:
> On Fri, Oct 19, 2012 at 10:43:51AM -0400, Dave Jones wrote:
> > I've hit this twice in the last two days while fuzz testing.
> > (Both times on i686 only, my x86-64 tests aren't hitting it
> > for some reason).
> >
> > BUG: unable to handle kernel paging request at 6b6b6ce3
> > IP: [<c10b52fe>] module_put+0x1e/0x160
> > *pdpt = 0000000025a4b001 *pde = 0000000000000000
> > Oops: 0000 [#1] PREEMPT SMP
> > Modules linked in: fuse tun binfmt_misc nfnetlink nfc caif_socket caif phonet bluetooth rfkill can llc2 pppoe pppox ppp_generic slhc irda crc_ccitt rds af_key decnet rose x25 atm netrom appletalk ipx p8023 psnap p8022 llc ax25 lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_ipv4 ip6table_filter ip6_tables nf_defrag_ipv4 xt_state nf_conntrack kvm_intel kvm microcode serio_raw pcspkr i2c_i801 tg3 i2c_core shpchp raid0 ata_piix
> > Pid: 512, comm: acpid Not tainted 3.7.0-rc1+ #11 Dell Inc. Precision WorkStation 490 /0DT031
> > EIP: 0060:[<c10b52fe>] EFLAGS: 00010246 CPU: 1
> > EIP is at module_put+0x1e/0x160
> > EAX: 00000000 EBX: 6b6b6b6b ECX: 00000000 EDX: c118509c
> > ESI: 00000010 EDI: 6b6b6b6b EBP: e5ae9f44 ESP: e5ae9f34
> > DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
> > CR0: 8005003b CR2: 6b6b6ce3 CR3: 25a4a000 CR4: 000007f0
> > DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> > DR6: ffff0ff0 DR7: 00000400
> > Process acpid (pid: 512, ti=e5ae8000 task=e6311680 task.ti=e5ae8000)
> > Stack:
> > e6062140 6b6b6b6b 00000010 f01ce540 e5ae9f50 c118509c e6062140 e5ae9f80
> > c11821ed 00000001 00000000 00000000 f2073410 ef256814 ef256814 e6062148
> > 00000000 e6311a60 e6311680 e5ae9f88 c118226d e5ae9f9c c1062f19 00000002
> > Call Trace:
> > [<c118509c>] cdev_put+0x1c/0x20
> > [<c11821ed>] __fput+0x20d/0x280
> > [<c118226d>] ____fput+0xd/0x10
> > [<c1062f19>] task_work_run+0x89/0xb0
> > [<c1002c41>] do_notify_resume+0x61/0xa0
> > [<c15d32f0>] work_notifysig+0x29/0x31
> > Code: 51 00 eb df 89 f6 8d bc 27 00 00 00 00 55 89 e5 57 56 53 83 ec 04 66 66 66 66 90 85 c0 89 c7 74 44 b8 01 00 00 00 e8 c2 14 52 00 <8b> 87 78 01 00 00 64 ff 40 04 8b 45 04 89 45 f0 66 66 66 66 90
> >
> >
> > It looks like the chardev went away under our feet.
> > How can this happen ?
We are now removing instance of character device corresponding to input
device when input device disappears.
Ah, I know... cdev is embedded in evdev, but lives longer.. I do want to
keep cdev embedded as it allows me to easily get to evdev in
evdev_open(), but I need to be able to add and then drop reference to
evdev from cdev's ->release() method. This means I need to override it.
Or I could have cdev separately allocated, but then I'd like to have a
void pointer in "struct cdev" so I could get from it back to
corresponding evdev.
Al, any recommendation?
Thanks!
--
Dmitry
next prev parent reply other threads:[~2012-10-19 16:33 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-19 14:43 weird use-after-free bug in module_put Dave Jones
2012-10-19 15:34 ` Dave Jones
2012-10-19 16:33 ` Dmitry Torokhov [this message]
2012-10-19 17:09 ` Al Viro
2012-10-19 17:36 ` Dmitry Torokhov
2012-10-19 17:50 ` Al Viro
2012-10-19 18:12 ` Dmitry Torokhov
2012-10-21 7:24 ` [PATCH 1/2] char_dev: allow setting up and pinning parent devices Dmitry Torokhov
2012-10-21 7:24 ` [PATCH 2/2] Input: fix use-after-free introduced with dynamic minor changes Dmitry Torokhov
2012-10-21 7:39 ` [PATCH 1/2] char_dev: allow setting up and pinning parent devices Al Viro
2012-10-21 8:13 ` Dmitry Torokhov
2012-10-22 0:57 ` [PATCH 1/2] char_dev: pin parent kobject Dmitry Torokhov
2012-10-22 0:57 ` [PATCH 2/2] Input: fix use-after-free introduced with dynamic minor changes Dmitry Torokhov
2012-10-22 5:02 ` [PATCH 1/2] char_dev: pin parent kobject Linus Torvalds
2012-10-22 5:42 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121019163318.GA2152@core.coreip.homeip.net \
--to=dmitry.torokhov@gmail.com \
--cc=davej@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.