Richard, your symlink-related race fixes do not fix anything.
Let it sleep in copy_to_user()
Have symlink unregistered
->registered is 0, ->refcount is 1, ->linkname points to link body
Have symlink registered again (module had been unloaded, now attacker
causes its reload)
->registered is checked. Looks OK.
->refcount is set to 1.
->linkname is set to _new_ link body
copy_to_user() wakes up and finishes.
devfs_readlink() decrements ->refcount to 0.
devfs_readlink() does kfree() on ->linkname (new one)
We are left with registered entry with zero refcount and linkname
Same scenario applies to other places of that kind.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to email@example.com
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Sep 30 2001 - 21:00:59 EST