Re: use after free in sysfs_find_dirent

From: Sasha Levin
Date: Wed Mar 20 2013 - 10:34:45 EST

On 03/19/2013 09:02 PM, Ming Lei wrote:
> Hi Sasha,
> On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin <levinsasha928@xxxxxxxxx> wrote:
>> On 03/19/2013 07:54 AM, Ming Lei wrote:
>> With v3 of the patch:
>> [ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: tun(tun)-uevent, 2-1472641949
> Thanks again for your test.
> Looks it is caused by another bug in sysfs_readdir: if filldir() returns
> failure(such as small buffer length passed from userspace, very probably
> for trinity) in case of 'if (filp->f_pos == 0 or 1)',
> filp->private_data still will
> point to one refcount-balanced sysfs_dirent object.
> V4 adds fix for this situation, please test attachment v4 patch.

With this one it didn't happen at all during overnight tests so looks like it did
the job.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at