From maneesh@in.ibm.com Wed Aug 10 22:37:24 2005
Date: Thu, 11 Aug 2005 11:04:45 +0530
From: Maneesh Soni <maneesh@in.ibm.com>
To: Greg KH <greg@kroah.com>
Cc: Keith Owens <kaos@sgi.com>, Andrew Morton <akpm@osdl.org>, <sonny@burdell.org>, <airlied@gmail.com>, <miles.lane@gmail.com>
Subject: Driver core: potentially fix use after free in class_device_attr_show
Message-ID: <20050811053445.GA4656@in.ibm.com>

o moves the code to free devt_attr from class_device_del() to
  class_dev_release() which is called after the last reference to the
  corresponding kobject() is gone. This allows to keep the devt_attr
  alive while the corresponding sysfs file is open.

Signed-off-by: Maneesh Soni <maneesh@in.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/base/class.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

--- gregkh-2.6.orig/drivers/base/class.c	2005-08-12 15:09:50.000000000 -0700
+++ gregkh-2.6/drivers/base/class.c	2005-08-12 15:09:53.000000000 -0700
@@ -300,6 +300,11 @@
 
 	pr_debug("device class '%s': release.\n", cd->class_id);
 
+	if (cd->devt_attr) {
+		kfree(cd->devt_attr);
+		cd->devt_attr = NULL;
+	}
+
 	if (cls->release)
 		cls->release(cd);
 	else {
@@ -631,11 +636,8 @@
 				  kobject_name(&class_dev->kobj));
 		sysfs_remove_link(&class_dev->kobj, "device");
 	}
-	if (class_dev->devt_attr) {
+	if (class_dev->devt_attr)
 		class_device_remove_file(class_dev, class_dev->devt_attr);
-		kfree(class_dev->devt_attr);
-		class_dev->devt_attr = NULL;
-	}
 	class_device_remove_attrs(class_dev);
 
 	kobject_hotplug(&class_dev->kobj, KOBJ_REMOVE);