[PATCH] Driver core: potentially fix use after free in class_device_attr_show
Maneesh Soni [Tue, 16 Aug 2005 22:15:48 +0000 (15:15 -0700)]
This moves the code to free devt_attr from class_device_del() to
class_dev_release() which is called after the last reference to the
corresponding kobject() is gone.

This allows us to keep the devt_attr alive while the corresponding
sysfs file is open.

Signed-off-by: Maneesh Soni <maneesh@in.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

drivers/base/class.c

index 479c125..0154a16 100644 (file)
@@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj)
 
        pr_debug("device class '%s': release.\n", cd->class_id);
 
+       if (cd->devt_attr) {
+               kfree(cd->devt_attr);
+               cd->devt_attr = NULL;
+       }
+
        if (cls->release)
                cls->release(cd);
        else {
@@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev)
 
        if (class_dev->dev)
                sysfs_remove_link(&class_dev->kobj, "device");
-       if (class_dev->devt_attr) {
+       if (class_dev->devt_attr)
                class_device_remove_file(class_dev, class_dev->devt_attr);
-               kfree(class_dev->devt_attr);
-               class_dev->devt_attr = NULL;
-       }
        class_device_remove_attrs(class_dev);
 
        kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);