[PATCH] Driver core: potentially fix use after free in class_device_attr_show
This moves the code to free devt_attr from class_device_del() to class_dev_release() which is called after the last reference to the corresponding kobject() is gone. This allows us to keep the devt_attr alive while the corresponding sysfs file is open. Signed-off-by: Maneesh Soni <maneesh@in.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
12aaa0855b
commit
208f3d6175
@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj)
|
||||
|
||||
pr_debug("device class '%s': release.\n", cd->class_id);
|
||||
|
||||
if (cd->devt_attr) {
|
||||
kfree(cd->devt_attr);
|
||||
cd->devt_attr = NULL;
|
||||
}
|
||||
|
||||
if (cls->release)
|
||||
cls->release(cd);
|
||||
else {
|
||||
@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev)
|
||||
|
||||
if (class_dev->dev)
|
||||
sysfs_remove_link(&class_dev->kobj, "device");
|
||||
if (class_dev->devt_attr) {
|
||||
if (class_dev->devt_attr)
|
||||
class_device_remove_file(class_dev, class_dev->devt_attr);
|
||||
kfree(class_dev->devt_attr);
|
||||
class_dev->devt_attr = NULL;
|
||||
}
|
||||
class_device_remove_attrs(class_dev);
|
||||
|
||||
kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);
|
||||
|
Loading…
Reference in New Issue
Block a user