Re: [PATCH] Reset file->f_op in snd_card_file_remove(). Take 2

From: Karsten Wiese
Date: Fri Sep 29 2006 - 08:34:42 EST

Next message: Alan Cox: "Re: GPLv3 Position Statement"
Previous message: Ingo Molnar: "Re: 2.6.18-rt1"
In reply to: Takashi Iwai: "Re: [PATCH] Reset file->f_op in snd_card_file_remove(). Take 2"
Next in thread: Ingo Molnar: "Re: [PATCH] Reset file->f_op in snd_card_file_remove(). Take 2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Freitag, 29. September 2006 12:48 schrieb Takashi Iwai:
> At Thu, 28 Sep 2006 22:28:02 +0200,
> Karsten Wiese wrote:
> >
> > Hi
> >
> > It oopses with 2.6.18-rt4 + alsa-kernel-1.0.13rc3 now.
> > I wrote before, 2.6.18-rt3 + alsa-driver-1.0.13rc3 would be ok,
> > but its not. bug showed again reliably under memory-pressure.
> >
> > Karsten
> >
> > ===
> >
> > Reset file->f_op in snd_card_file_remove(). Take 2
> >
> >
> > i think what happens here is:
> >
> > us428control runs, kernel has allocated a struct file for /dev/hwC1D0.
> >
> > usb disconnect
> >
> > snd_usb_usx2y calls snd_card_disconnect,
> > tells us428control to exit.
> >
> > snd_card_disconnect replaces /dev/hwC1D0's file->f_op
> > with a kmalloc()ed version, that would only allow releases.
> >
> > us428control starts exiting
> >
> > __fput is called with struct file for /dev/hwC1D0.
> >
> > snd_card_file_remove() is called, alsa notices struct file
> > for /dev/hwC1D0 is about to be closed.
> > with patch below, file->f_op would be set NULL now.
> >
> > snd_usb_usx2y's free()s snd_card instance and /dev/hwC1D0's
> > file->f_ops, those that would only allow releases.
> >
> > for reason I would like to know,
> > __fput is called again with struct file for /dev/hwC1D0
> > from us428control's do_exit().
> > __fput see's file->f_op is still set.
> > Without patch and under memory pressure, file->f_op can
> > point to anything now.
> >
> >
> > Signed-off-by: Karsten Wiese <annabellesgarden@xxxxxxxx>
>
> I guess this bug is fixed by Florin's patch below, juding from your
> explanation. Could you check it?
>
Florin's patch fixes it.

This one for immediate consumation by mainline, mm, rt,
and the stable teams, hmm?

Karsten
>
> Takashi
>
> Subject: [PATCH] Dereference after free in snd_hwdep_release()
> From: Florin Malita <fmalita@xxxxxxxxx>
> Date: Thu, 28 Sep 2006 19:45:50 -0400
>
> snd_card_file_remove() may free hw->card so we can't dereference
> hw->card->module after that.
>
> Coverity ID 1420.
>
> Signed-off-by: Florin Malita <fmalita@xxxxxxxxx>
> ---
>
> diff --git a/sound/core/hwdep.c b/sound/core/hwdep.c
> index 9aa9d94..46b4768 100644
> --- a/sound/core/hwdep.c
> +++ b/sound/core/hwdep.c
> @@ -158,6 +158,7 @@ static int snd_hwdep_release(struct inod
> {
> int err = -ENXIO;
> struct snd_hwdep *hw = file->private_data;
> + struct module *mod = hw->card->module;
> mutex_lock(&hw->open_mutex);
> if (hw->ops.release) {
> err = hw->ops.release(hw, file);
> @@ -167,7 +168,7 @@ static int snd_hwdep_release(struct inod
> hw->used--;
> snd_card_file_remove(hw->card, file);
> mutex_unlock(&hw->open_mutex);
> - module_put(hw->card->module);
> + module_put(mod);
> return err;
> }
>
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: GPLv3 Position Statement"
Previous message: Ingo Molnar: "Re: 2.6.18-rt1"
In reply to: Takashi Iwai: "Re: [PATCH] Reset file->f_op in snd_card_file_remove(). Take 2"
Next in thread: Ingo Molnar: "Re: [PATCH] Reset file->f_op in snd_card_file_remove(). Take 2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]