From: Alexander Viro <viro@math.psu.edu> To: Richard Gooch <rgooch@ras.ucalgary.ca> Subject: new^H^H^Himproved devfs races Date: Thu, 27 Sep 2001 20:52:51 -0400 (EDT) Cc: Linus Torvalds <torvalds@transmeta.com>, linux-kernel@vger.kernel.org Richard, your symlink-related race fixes do not fix anything. Enter devfs_readlink() Let it sleep in copy_to_user() Have symlink unregistered ->registered is 0, ->refcount is 1, ->linkname points to link body Have symlink registered again (module had been unloaded, now attacker causes its reload) ->registered is checked. Looks OK. ->refcount is set to 1. ->linkname is set to _new_ link body copy_to_user() wakes up and finishes. devfs_readlink() decrements ->refcount to 0. devfs_readlink() does kfree() on ->linkname (new one) We are left with registered entry with zero refcount and linkname pointing nowhere. Same scenario applies to other places of that kind. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/