From: Maneesh Soni Date: Tue, 16 Aug 2005 22:15:48 +0000 (-0700) Subject: [PATCH] Driver core: potentially fix use after free in class_device_attr_show X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=208f3d6175cb17772c5af202fe12373f90894ff4;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git [PATCH] Driver core: potentially fix use after free in class_device_attr_show This moves the code to free devt_attr from class_device_del() to class_dev_release() which is called after the last reference to the corresponding kobject() is gone. This allows us to keep the devt_attr alive while the corresponding sysfs file is open. Signed-off-by: Maneesh Soni Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds --- diff --git a/drivers/base/class.c b/drivers/base/class.c index 479c1257088..0154a1623b2 100644 --- a/drivers/base/class.c +++ b/drivers/base/class.c @@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj) pr_debug("device class '%s': release.\n", cd->class_id); + if (cd->devt_attr) { + kfree(cd->devt_attr); + cd->devt_attr = NULL; + } + if (cls->release) cls->release(cd); else { @@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev) if (class_dev->dev) sysfs_remove_link(&class_dev->kobj, "device"); - if (class_dev->devt_attr) { + if (class_dev->devt_attr) class_device_remove_file(class_dev, class_dev->devt_attr); - kfree(class_dev->devt_attr); - class_dev->devt_attr = NULL; - } class_device_remove_attrs(class_dev); kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);