Re: [patch] For 2.4: syscall revoke.

From: Alexander Viro (
Date: Fri Oct 13 2000 - 12:39:19 EST

On Fri, 13 Oct 2000, Dr. Werner Fink wrote:

> Hi,
> hopefully this mail isn't lost because of a nervous `d' finger ;^)
> Last week I've finished the work on the system call revoke for 2.4 and
> done some changes on it suggested by the vendors security list.
> Due to the security issue of the syscall revoke, it would nice to see
> this patch going in 2.4. This would help to close some open security
> issues (e.g. user usage of vcs/vcsa and other devices).
> This implementation of sys_revoke not only removes all references
> of a block or character special file but also all mmap vma's.

It's racey.

        1) one process does read() on device, another does revoke()
followed by rmmod. Oops - nothing holds module in memory, the first
process is executing code from that module (->read(), that is) and
we unmap that code.

        2) every access to ->f_op suddenly becomes unsafe. Basically the
same scenario, but here we have the window between fetching ->f_op and
calling ->f_op->foo. You have no exclusion here, and even if you had, you
still got #1 to deal with.

IOW, it's broken by design - you can't just drop ->f_op and call it
quits. You certainly can't leave any process in the middle of code that
becomes unprotected. And it's not an SMP-only problem - since ->read() may
sleep you have #1 on UP too.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sun Oct 15 2000 - 21:00:25 EST