On Mon Jun 09 2003 - 20:39:45 EST, Rusty Russell (rusty@rustcorp.com.au) wrote:
> In message <200306091014.h59AEnU08591@adam.yggdrasil.com> you write:
> > cleanup:
> > module_unload_free(mod);
> > module_free(mod, mod->module_init);
> > free_core:
> > module_free(mod, mod->module_core);
> > /* The following "if" statement generates a kernel bad memory
> > reference. --Adam */
> > free_percpu:
> > if (mod->percpu)
> > percpu_modfree(mod->percpu);
> >
..
>
> Well, mod is inside module->module_core, so that makes sense: check
> the section layout, but usually the .text section is first, then mod
> will be near the .data section (turn on debugging in layout_sections
> to get the details).
Umm, isn't that the problem? Once we get past the point where mod points
inside the module core (ie where we would goto cleanup), we can't
reference mod->percpu after freeing mod->mod_core, since that frees mod
(and hence a the use-after-free bug).
milton
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jun 15 2003 - 22:00:22 EST