Public bug reported: Binary package hint: linux-image-2.6.20-16-generic
Running feisty, 2.6.20-16-generic, but this problem remains in the latest feisty and gutsy trees in git. Found via code inspection that structure "sub_info" is dereferenced after kfree() in finish_usermodehelper_pipe() in kernel/kmod.c: int finish_usermodehelper_pipe(struct subprocess_info *sub_info) { wait_for_completion(sub_info->complete); kfree(sub_info->complete); kfree(sub_info); return sub_info->retval; } This could result in an unwanted fault or a bad return value going back to the caller. I believe the fix is: $ diff -u kmod.c.orig kmod.c.fix --- kmod.c.orig 2007-04-12 12:16:23.000000000 -0500 +++ kmod.c.fix 2007-08-12 18:00:07.000000000 -0500 @@ -338,11 +338,13 @@ int finish_usermodehelper_pipe(struct subprocess_info *sub_info) { + int retval; wait_for_completion(sub_info->complete); + retval = sub_info->retval; kfree(sub_info->complete); kfree(sub_info); - return sub_info->retval; + return retval; } EXPORT_SYMBOL(finish_usermodehelper_pipe); ** Affects: linux-source-2.6.20 (Ubuntu) Importance: Undecided Status: New -- sub_info dereferenced after free in finish_usermodehelper_pipe https://bugs.launchpad.net/bugs/132089 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs