From: Konstantin Khlebnikov <[email protected]> Date: Fri, 14 Dec 2012 15:03:10 +0400 Subject: [PATCH] EDAC: Fix kernel panic on module unloading
Upstream commit: 311bd84247ee0bedae6cdfbfc5e2c3450f9decd1 This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit(). mci_pdev has single reference and put_device() calls mc_attr_release() which calls kfree(). The following device_del() works with already released memory. An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great. Signed-off-by: Konstantin Khlebnikov <[email protected]> Cc: [email protected] # 3.[67] Cc: Denis Kirjanov <[email protected]> Cc: Mauro Carvalho Chehab <[email protected]> Link: http://lkml.kernel.org/r/20121214110310.11019.21098.stgit@zurg [ a partial 3.6.y backport ] Signed-off-by: Borislav Petkov <[email protected]> --- drivers/edac/edac_mc_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c index ed0bc07b8503..fe4fa1cde67e 100644 --- a/drivers/edac/edac_mc_sysfs.c +++ b/drivers/edac/edac_mc_sysfs.c @@ -1145,7 +1145,7 @@ int __init edac_mc_sysfs_init(void) void __exit edac_mc_sysfs_exit(void) { - put_device(mci_pdev); device_del(mci_pdev); + put_device(mci_pdev); edac_put_sysfs_subsys(); } -- 1.8.1.rc3 -- Regards/Gruss, Boris. Sent from a fat crate under my desk. Formatting is fine. -- -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
