[PATCH] driver-core: don't free devt_attr till the device is released

Currently, devt_attr for the "dev" file is freed immediately on device
removal, but if the "dev" sysfs file is open when a device is removed,
sysfs will access its attribute structure for further access including
close resulting in jumping to garbled address.  Fix it by postponing
freeing devt_attr to device release time.

Note that devt_attr for class_device is already freed on release.

This bug is reported by Chris Rankin as bugzilla bug#8198.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Chris Rankin <rankincj@yahoo.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/base/core.c b/drivers/base/core.c
index 67b79a7592a9d94c92d0e737d82638fdc5e7f74d..7d10d676ab03c6b81bc78eddc9b8ab9ac87a91ce 100644 (file)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -93,6 +93,9 @@ static void device_release(struct kobject * kobj)
 {
        struct device * dev = to_dev(kobj);
 
+       kfree(dev->devt_attr);
+       dev->devt_attr = NULL;
+
        if (dev->release)
                dev->release(dev);
        else if (dev->class && dev->class->dev_release)
@@ -650,10 +653,8 @@ void device_del(struct device * dev)
 
        if (parent)
                klist_del(&dev->knode_parent);
-       if (dev->devt_attr) {
+       if (dev->devt_attr)
                device_remove_file(dev, dev->devt_attr);
-               kfree(dev->devt_attr);
-       }
        if (dev->class) {
                sysfs_remove_link(&dev->kobj, "subsystem");
                /* If this is not a "fake" compatible device, remove the