aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorManeesh Soni <maneesh@in.ibm.com>2005-08-16 18:15:48 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-08-17 00:06:24 -0400
commit208f3d6175cb17772c5af202fe12373f90894ff4 (patch)
tree86265a0aa2a8007e181e9edb279b2fab81b812ee
parent12aaa0855b39b5464db953fedf399fa91ee365ed (diff)
[PATCH] Driver core: potentially fix use after free in class_device_attr_show
This moves the code to free devt_attr from class_device_del() to class_dev_release() which is called after the last reference to the corresponding kobject() is gone. This allows us to keep the devt_attr alive while the corresponding sysfs file is open. Signed-off-by: Maneesh Soni <maneesh@in.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--drivers/base/class.c10
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/base/class.c b/drivers/base/class.c
index 479c12570881..0154a1623b21 100644
--- a/drivers/base/class.c
+++ b/drivers/base/class.c
@@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj)
299 299
300 pr_debug("device class '%s': release.\n", cd->class_id); 300 pr_debug("device class '%s': release.\n", cd->class_id);
301 301
302 if (cd->devt_attr) {
303 kfree(cd->devt_attr);
304 cd->devt_attr = NULL;
305 }
306
302 if (cls->release) 307 if (cls->release)
303 cls->release(cd); 308 cls->release(cd);
304 else { 309 else {
@@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev)
591 596
592 if (class_dev->dev) 597 if (class_dev->dev)
593 sysfs_remove_link(&class_dev->kobj, "device"); 598 sysfs_remove_link(&class_dev->kobj, "device");
594 if (class_dev->devt_attr) { 599 if (class_dev->devt_attr)
595 class_device_remove_file(class_dev, class_dev->devt_attr); 600 class_device_remove_file(class_dev, class_dev->devt_attr);
596 kfree(class_dev->devt_attr);
597 class_dev->devt_attr = NULL;
598 }
599 class_device_remove_attrs(class_dev); 601 class_device_remove_attrs(class_dev);
600 602
601 kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE); 603 kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);