提交 208f3d61 编写于 作者: M Maneesh Soni 提交者: Linus Torvalds

[PATCH] Driver core: potentially fix use after free in class_device_attr_show

This moves the code to free devt_attr from class_device_del() to
class_dev_release() which is called after the last reference to the
corresponding kobject() is gone.

This allows us to keep the devt_attr alive while the corresponding
sysfs file is open.
Signed-off-by: NManeesh Soni <maneesh@in.ibm.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
上级 12aaa085
...@@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj) ...@@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj)
pr_debug("device class '%s': release.\n", cd->class_id); pr_debug("device class '%s': release.\n", cd->class_id);
if (cd->devt_attr) {
kfree(cd->devt_attr);
cd->devt_attr = NULL;
}
if (cls->release) if (cls->release)
cls->release(cd); cls->release(cd);
else { else {
...@@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev) ...@@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev)
if (class_dev->dev) if (class_dev->dev)
sysfs_remove_link(&class_dev->kobj, "device"); sysfs_remove_link(&class_dev->kobj, "device");
if (class_dev->devt_attr) { if (class_dev->devt_attr)
class_device_remove_file(class_dev, class_dev->devt_attr); class_device_remove_file(class_dev, class_dev->devt_attr);
kfree(class_dev->devt_attr);
class_dev->devt_attr = NULL;
}
class_device_remove_attrs(class_dev); class_device_remove_attrs(class_dev);
kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE); kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册