Re: 2.6.13-rc4 use after free in class_device_attr_show

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <greg@kroah.com>
To: Maneesh Soni <maneesh@in.ibm.com>
Cc: Keith Owens <kaos@sgi.com>, Andrew Morton <akpm@osdl.org>,
	linux-kernel@vger.kernel.org
Subject: Re: 2.6.13-rc4 use after free in class_device_attr_show
Date: Tue, 2 Aug 2005 10:33:02 -0700	[thread overview]
Message-ID: <20050802173302.GB1799@kroah.com> (raw)
In-Reply-To: <20050802080422.GA32556@in.ibm.com>

On Tue, Aug 02, 2005 at 01:34:22PM +0530, Maneesh Soni wrote:
> Looks like the attribute structure is allocated dynamically and
> is freed before the sysfs_release() is called?
> 
> Basically it could be like this..
> 
> file (/sys/class/vc/vcs16/dev) is still open and the corresponding
> attribute structure is already gone. open files will the keep the
> corresponding dentry and in-turn sysfs_dirent alive.
> 
> sysfs_open_file() does call kobject_get() and it expects the
> kobject to be around while the sysfs files for kobject's corresponding
> attributes are open.
> 
> Greg, could there be cases where the kobject is alive but
> attributes are freed? In those cases we will need some
> way to keep attrbiutes alive while kobject is around.

Well, we need to remove the attributes before we free the kobject,
right?  It looks like we are racing here, I'll dig into this and see if
I can find anything...

thanks,

greg k-h

next prev parent reply	other threads:[~2005-08-02 17:33 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-07-30  5:47 2.6.13-rc4 use after free in class_device_attr_show Keith Owens
2005-07-30  9:29 ` Andrew Morton
2005-08-01 12:14   ` Keith Owens
2005-08-01 14:03     ` Keith Owens
2005-08-01 19:03     ` Andrew Morton
2005-08-02  3:05       ` Keith Owens
2005-08-02  3:32         ` Keith Owens
2005-08-02  8:04         ` Maneesh Soni
2005-08-02 17:33           ` Greg KH [this message]
2005-08-10  6:26           ` Keith Owens
2005-08-10 10:06             ` Maneesh Soni
2005-08-10 22:35               ` Greg KH
2005-08-11  5:34                 ` Maneesh Soni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050802173302.GB1799@kroah.com \
    --to=greg@kroah.com \
    --cc=akpm@osdl.org \
    --cc=kaos@sgi.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maneesh@in.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox