-stable review patch. If anyone has any objections, please let us know.
---------------------
From: Tejun Heo <[email protected]>
Currently, devt_attr for the "dev" file is freed immediately on device
removal, but if the "dev" sysfs file is open when a device is removed,
sysfs will access its attribute structure for further access including
close resulting in jumping to garbled address. Fix it by postponing
freeing devt_attr to device release time.
Note that devt_attr for class_device is already freed on release.
This bug is reported by Chris Rankin as bugzilla bug#8198.
Signed-off-by: Tejun Heo <[email protected]>
Cc: Chris Rankin <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
---
Applies well to 2.6.20 and 21. As sysfs-immediate-disconnect doesn't
seem to be included in 2.6.22, this should be included in linus#master
too (applies well there as well).
drivers/base/core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- linux-2.6.21.1.orig/drivers/base/core.c
+++ linux-2.6.21.1/drivers/base/core.c
@@ -93,6 +93,9 @@ static void device_release(struct kobjec
{
struct device * dev = to_dev(kobj);
+ kfree(dev->devt_attr);
+ dev->devt_attr = NULL;
+
if (dev->release)
dev->release(dev);
else if (dev->type && dev->type->release)
@@ -765,10 +768,8 @@ void device_del(struct device * dev)
if (parent)
klist_del(&dev->knode_parent);
- if (dev->devt_attr) {
+ if (dev->devt_attr)
device_remove_file(dev, dev->devt_attr);
- kfree(dev->devt_attr);
- }
if (dev->class) {
sysfs_remove_link(&dev->kobj, "subsystem");
/* If this is not a "fake" compatible device, remove the
--