Re: use after free in sysfs_find_dirent
From: Ming Lei
Date: Sat Mar 16 2013 - 21:02:29 EST
On Sun, Mar 17, 2013 at 2:33 AM, Sasha Levin <levinsasha928@xxxxxxxxx> wrote:
>
> I don't think it shows what we want it to show thought:
>
> [ 327.416905] Pid: 10504, comm: trinity-child98 Tainted: G W 3.9.0-rc2-next-20130315-sasha-00046-gecde602-dirty #301
> [ 327.418815] Call Trace:
> [ 327.419255] [<ffffffff812f880e>] release_sysfs_dirent+0x4e/0x120
> [ 327.420595] [<ffffffff812f89d2>] sysfs_dir_pos+0x92/0x130
> [ 327.421608] [<ffffffff812f8b8d>] sysfs_readdir+0x11d/0x280
> [ 327.422562] [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
> [ 327.423441] [<ffffffff8128b070>] ? SyS_ioctl+0xa0/0xa0
> [ 327.424314] [<ffffffff8128b3e8>] vfs_readdir+0x78/0xc0
> [ 327.425263] [<ffffffff8128b54c>] SyS_getdents+0x8c/0x110
> [ 327.426173] [<ffffffff83d919d8>] tracesys+0xe1/0xe6
>
Sasha, looks there is a race when sys_readdir() is run concurrently
on same directory, and the below patch may fix the race, could you test the
attachment patch to see if the use after free can be fixed?
Thanks,
--
Ming Lei
Attachment:
sysfs-fix-readdir.patch
Description: Binary data