diff options
| author | Maneesh Soni <maneesh@in.ibm.com> | 2005-08-16 18:15:48 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-08-17 00:06:24 -0400 |
| commit | 208f3d6175cb17772c5af202fe12373f90894ff4 (patch) | |
| tree | 86265a0aa2a8007e181e9edb279b2fab81b812ee | |
| parent | 12aaa0855b39b5464db953fedf399fa91ee365ed (diff) | |
[PATCH] Driver core: potentially fix use after free in class_device_attr_show
This moves the code to free devt_attr from class_device_del() to
class_dev_release() which is called after the last reference to the
corresponding kobject() is gone.
This allows us to keep the devt_attr alive while the corresponding
sysfs file is open.
Signed-off-by: Maneesh Soni <maneesh@in.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| -rw-r--r-- | drivers/base/class.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/base/class.c b/drivers/base/class.c index 479c12570881..0154a1623b21 100644 --- a/drivers/base/class.c +++ b/drivers/base/class.c | |||
| @@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj) | |||
| 299 | 299 | ||
| 300 | pr_debug("device class '%s': release.\n", cd->class_id); | 300 | pr_debug("device class '%s': release.\n", cd->class_id); |
| 301 | 301 | ||
| 302 | if (cd->devt_attr) { | ||
| 303 | kfree(cd->devt_attr); | ||
| 304 | cd->devt_attr = NULL; | ||
| 305 | } | ||
| 306 | |||
| 302 | if (cls->release) | 307 | if (cls->release) |
| 303 | cls->release(cd); | 308 | cls->release(cd); |
| 304 | else { | 309 | else { |
| @@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev) | |||
| 591 | 596 | ||
| 592 | if (class_dev->dev) | 597 | if (class_dev->dev) |
| 593 | sysfs_remove_link(&class_dev->kobj, "device"); | 598 | sysfs_remove_link(&class_dev->kobj, "device"); |
| 594 | if (class_dev->devt_attr) { | 599 | if (class_dev->devt_attr) |
| 595 | class_device_remove_file(class_dev, class_dev->devt_attr); | 600 | class_device_remove_file(class_dev, class_dev->devt_attr); |
| 596 | kfree(class_dev->devt_attr); | ||
| 597 | class_dev->devt_attr = NULL; | ||
| 598 | } | ||
| 599 | class_device_remove_attrs(class_dev); | 601 | class_device_remove_attrs(class_dev); |
| 600 | 602 | ||
| 601 | kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE); | 603 | kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE); |