Driver core: fix race in sysfs between sysfs_remove_file() and read()/write()

#include <linux/slab.h>

#include <asm/uaccess.h>

#include <asm/semaphore.h>

#include "sysfs.h"

#include <linux/module.h>

#include <linux/kobject.h>

#include <linux/namei.h>

#include <asm/semaphore.h>

#include "sysfs.h"

DECLARE_RWSEM(sysfs_rename_sem);

#include <linux/kobject.h>

#include <linux/namei.h>

#include <linux/poll.h>

#include <linux/list.h>

#include <asm/uaccess.h>

#include <asm/semaphore.h>

	.store	= subsys_attr_store,

};

/**

 *	add_to_collection - add buffer to a collection

 *	@buffer:	buffer to be added

 *	@node		inode of set to add to

 */

struct sysfs_buffer {

	size_t			count;

	loff_t			pos;

	char			* page;

	struct sysfs_ops	* ops;

	struct semaphore	sem;

	int			needs_read_fill;

	int			event;

};

static inline void

add_to_collection(struct sysfs_buffer *buffer, struct inode *node)

{

	struct sysfs_buffer_collection *set = node->i_private;

	mutex_lock(&node->i_mutex);

	list_add(&buffer->associates, &set->associates);

	mutex_unlock(&node->i_mutex);

}

static inline void

remove_from_collection(struct sysfs_buffer *buffer, struct inode *node)

{

	mutex_lock(&node->i_mutex);

	list_del(&buffer->associates);

	mutex_unlock(&node->i_mutex);

}

/**

 *	fill_read_buffer - allocate and fill buffer from object.

	ssize_t retval = 0;

	down(&buffer->sem);

	if (buffer->orphaned) {

		retval = -ENODEV;

		goto out;

	}

	if (buffer->needs_read_fill) {

		if ((retval = fill_read_buffer(file->f_path.dentry,buffer)))

			goto out;

	return retval;

}

/**

 *	fill_write_buffer - copy buffer from userspace.

 *	@buffer:	data buffer for file.

	ssize_t len;

	down(&buffer->sem);

	if (buffer->orphaned) {

		len = -ENODEV;

		goto out;

	}

	len = fill_write_buffer(buffer, buf, count);

	if (len > 0)

		len = flush_write_buffer(file->f_path.dentry, buffer, len);

	if (len > 0)

		*ppos += len;

out:

	up(&buffer->sem);

	return len;

}

static int check_perm(struct inode * inode, struct file * file)

static int sysfs_open_file(struct inode *inode, struct file *file)

{

	struct kobject *kobj = sysfs_get_kobject(file->f_path.dentry->d_parent);

	struct attribute * attr = to_attr(file->f_path.dentry);

	struct sysfs_buffer_collection *set;

	struct sysfs_buffer * buffer;

	struct sysfs_ops * ops = NULL;

	int error = 0;

	if (!ops)

		goto Eaccess;

	/* make sure we have a collection to add our buffers to */

	mutex_lock(&inode->i_mutex);

	if (!(set = inode->i_private)) {

		if (!(set = inode->i_private = kmalloc(sizeof(struct sysfs_buffer_collection), GFP_KERNEL))) {

			error = -ENOMEM;

			goto Done;

		} else {

			INIT_LIST_HEAD(&set->associates);

		}

	}

	mutex_unlock(&inode->i_mutex);

	/* File needs write support.

	 * The inode's perms must say it's ok, 

	 * and we must have a store method.

	 */

	buffer = kzalloc(sizeof(struct sysfs_buffer), GFP_KERNEL);

	if (buffer) {

		INIT_LIST_HEAD(&buffer->associates);

		init_MUTEX(&buffer->sem);

		buffer->needs_read_fill = 1;

		buffer->ops = ops;

		add_to_collection(buffer, inode);

		file->private_data = buffer;

	} else

		error = -ENOMEM;

	return error;

}

static int sysfs_open_file(struct inode * inode, struct file * filp)

{

	return check_perm(inode,filp);

}

static int sysfs_release(struct inode * inode, struct file * filp)

{

	struct kobject * kobj = to_kobj(filp->f_path.dentry->d_parent);

	struct module * owner = attr->owner;

	struct sysfs_buffer * buffer = filp->private_data;

	if (buffer)

		remove_from_collection(buffer, inode);

	if (kobj) 

		kobject_put(kobj);

	/* After this point, attr should not be accessed. */

#include <linux/dcache.h>

#include <linux/namei.h>

#include <linux/err.h>

#include <asm/semaphore.h>

#include "sysfs.h"

#include <linux/backing-dev.h>

#include <linux/capability.h>

#include <linux/errno.h>

#include <asm/semaphore.h>

#include "sysfs.h"

extern struct super_block * sysfs_sb;

	return NULL;

}

static inline void orphan_all_buffers(struct inode *node)

{

	struct sysfs_buffer_collection *set = node->i_private;

	struct sysfs_buffer *buf;

	mutex_lock(&node->i_mutex);

	if (node->i_private) {

		list_for_each_entry(buf, &set->associates, associates) {

			down(&buf->sem);

			buf->orphaned = 1;

			up(&buf->sem);

		}

	}

	mutex_unlock(&node->i_mutex);

}

/*

 * Unhashes the dentry corresponding to given sysfs_dirent

void sysfs_drop_dentry(struct sysfs_dirent * sd, struct dentry * parent)

{

	struct dentry * dentry = sd->s_dentry;

	struct inode *inode;

	if (dentry) {

		spin_lock(&dcache_lock);

		spin_lock(&dentry->d_lock);

		if (!(d_unhashed(dentry) && dentry->d_inode)) {

			inode = dentry->d_inode;

			spin_lock(&inode->i_lock);

			__iget(inode);

			spin_unlock(&inode->i_lock);

			dget_locked(dentry);

			__d_drop(dentry);

			spin_unlock(&dentry->d_lock);

			spin_unlock(&dcache_lock);

			simple_unlink(parent->d_inode, dentry);

			orphan_all_buffers(inode);

			iput(inode);

		} else {

			spin_unlock(&dentry->d_lock);

			spin_unlock(&dcache_lock);