Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 208f3d61 authored by Maneesh Soni's avatar Maneesh Soni Committed by Linus Torvalds
Browse files

[PATCH] Driver core: potentially fix use after free in class_device_attr_show 



This moves the code to free devt_attr from class_device_del() to
class_dev_release() which is called after the last reference to the
corresponding kobject() is gone.

This allows us to keep the devt_attr alive while the corresponding
sysfs file is open.

Signed-off-by: default avatarManeesh Soni <maneesh@in.ibm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 12aaa085

drivers/base/class.c

+6 −4
Original line number Diff line number Diff line
@@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj) 


	pr_debug("device class '%s': release.\n", cd->class_id);



	if (cd->devt_attr) {

		kfree(cd->devt_attr);

		cd->devt_attr = NULL;

	}



	if (cls->release)

		cls->release(cd);

	else {
@@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev) 


	if (class_dev->dev)

		sysfs_remove_link(&class_dev->kobj, "device");

	if (class_dev->devt_attr) {

	if (class_dev->devt_attr)

		class_device_remove_file(class_dev, class_dev->devt_attr);

		kfree(class_dev->devt_attr);

		class_dev->devt_attr = NULL;

	}

	class_device_remove_attrs(class_dev);



	kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);