aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKonstantin Khlebnikov <khlebnikov@openvz.org>2012-12-14 06:03:10 -0500
committerBorislav Petkov <bpetkov@suse.de>2013-01-07 11:42:58 -0500
commit311bd84247ee0bedae6cdfbfc5e2c3450f9decd1 (patch)
tree23e7218b9e23c33ca9e8534ddbb05664f896fab3
parentd1c3ed669a2d452cacfb48c2d171a1f364dae2ed (diff)
EDAC: Fix kernel panic on module unloading
This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit(). mci_pdev has single reference and put_device() calls mc_attr_release() which calls kfree(). The following device_del() works with already released memory. An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great. Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org> Cc: stable@vger.kernel.org # 3.[67] Cc: Denis Kirjanov <kirjanov@gmail.com> Cc: Mauro Carvalho Chehab <mchehab@redhat.com> Link: http://lkml.kernel.org/r/20121214110310.11019.21098.stgit@zurg Signed-off-by: Borislav Petkov <bp@alien8.de>
-rw-r--r--drivers/edac/edac_mc_sysfs.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
index de2df92f9c77..a3b0119ecb00 100644
--- a/drivers/edac/edac_mc_sysfs.c
+++ b/drivers/edac/edac_mc_sysfs.c
@@ -1159,8 +1159,7 @@ int __init edac_mc_sysfs_init(void)
1159 1159
1160void __exit edac_mc_sysfs_exit(void) 1160void __exit edac_mc_sysfs_exit(void)
1161{ 1161{
1162 put_device(mci_pdev);
1163 device_del(mci_pdev); 1162 device_del(mci_pdev);
1163 put_device(mci_pdev);
1164 edac_put_sysfs_subsys(); 1164 edac_put_sysfs_subsys();
1165 kfree(mci_pdev);
1166} 1165}