[PATCH] Driver core: potentially fix use after free in class_device_a…

…ttr_show This moves the code to free devt_attr from class_device_del() to class_dev_release() which is called after the last reference to the corresponding kobject() is gone. This allows us to keep the devt_attr alive while the corresponding sysfs file is open. Signed-off-by: Maneesh Soni <maneesh@in.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
git-mirror · Aug 17, 2005 · 208f3d6 · 208f3d6
1 parent 12aaa08
commit 208f3d6
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/drivers/base/class.c b/drivers/base/class.c
@@ -299,6 +299,11 @@ static void class_dev_release(struct kobject * kobj)
 
 	pr_debug("device class '%s': release.\n", cd->class_id);
 
+	if (cd->devt_attr) {
+		kfree(cd->devt_attr);
+		cd->devt_attr = NULL;
+	}
+
 	if (cls->release)
 		cls->release(cd);
 	else {
@@ -591,11 +596,8 @@ void class_device_del(struct class_device *class_dev)
 
 	if (class_dev->dev)
 		sysfs_remove_link(&class_dev->kobj, "device");
-	if (class_dev->devt_attr) {
+	if (class_dev->devt_attr)
 		class_device_remove_file(class_dev, class_dev->devt_attr);
-		kfree(class_dev->devt_attr);
-		class_dev->devt_attr = NULL;
-	}
 	class_device_remove_attrs(class_dev);
 
 	kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);