[PATCH] driver-core: don't free devt_attr till the device is released

Currently, devt_attr for the "dev" file is freed immediately on device
removal, but if the "dev" sysfs file is open when a device is removed,
sysfs will access its attribute structure for further access including
close resulting in jumping to garbled address.  Fix it by postponing
freeing devt_attr to device release time.

Note that devt_attr for class_device is already freed on release.

This bug is reported by Chris Rankin as bugzilla bug#8198.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Chris Rankin <rankincj@yahoo.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

diff --git a/drivers/base/core.c b/drivers/base/core.c
index d7fcf823a42a71e08af9da4e62d83b0dae5129fd..a8dfee20df786172727a3321ec1878ece56ee5be 100644 (file)
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -93,6 +93,9 @@ static void device_release(struct kobject * kobj)
 {
        struct device * dev = to_dev(kobj);
 
+       kfree(dev->devt_attr);
+       dev->devt_attr = NULL;
+
        if (dev->release)
                dev->release(dev);
        else if (dev->type && dev->type->release)
@@ -765,10 +768,8 @@ void device_del(struct device * dev)
 
        if (parent)
                klist_del(&dev->knode_parent);
-       if (dev->devt_attr) {
+       if (dev->devt_attr)
                device_remove_file(dev, dev->devt_attr);
-               kfree(dev->devt_attr);
-       }
        if (dev->class) {
                sysfs_remove_link(&dev->kobj, "subsystem");
                /* If this is not a "fake" compatible device, remove the