Hi Sasha, On Wed, Mar 20, 2013 at 12:28 AM, Sasha Levin <levinsasha...@gmail.com> wrote: > On 03/19/2013 07:54 AM, Ming Lei wrote: > > With v3 of the patch: > > [ 1275.665758] sysfs_dir_pos-973 sysfs_dirent use after free: > tun(tun)-uevent, 2-1472641949
Thanks again for your test. Looks it is caused by another bug in sysfs_readdir: if filldir() returns failure(such as small buffer length passed from userspace, very probably for trinity) in case of 'if (filp->f_pos == 0 or 1)', filp->private_data still will point to one refcount-balanced sysfs_dirent object. V4 adds fix for this situation, please test attachment v4 patch. Thanks, -- Ming Lei
sysfs-fix-readdir-v4.patch
Description: Binary data
