EDAC: Fix kernel panic on module unloading

koct9i · Borislav Petkov · commit 311bd84247ee · 2013-01-07T17:42:58.000+01:00
This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit(). mci_pdev has single reference and put_device() calls mc_attr_release() which calls kfree(). The following device_del() works with already released memory. An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great. Signed-off-by: Konstantin Khlebnikov <khlebnikov@openvz.org> Cc: stable@vger.kernel.org # 3.[67] Cc: Denis Kirjanov <kirjanov@gmail.com> Cc: Mauro Carvalho Chehab <mchehab@redhat.com> Link: http://lkml.kernel.org/r/20121214110310.11019.21098.stgit@zurg Signed-off-by: Borislav Petkov <bp@alien8.de>
diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
@@ -1159,8 +1159,7 @@ int __init edac_mc_sysfs_init(void)
 
 void __exit edac_mc_sysfs_exit(void)
 {
-	put_device(mci_pdev);
 	device_del(mci_pdev);
+	put_device(mci_pdev);
 	edac_put_sysfs_subsys();
-	kfree(mci_pdev);
 }

Original file line number	Diff line number	Diff line change
`@@ -1159,8 +1159,7 @@ int __init edac_mc_sysfs_init(void)`
`1159`	`1159`
`1160`	`1160`	`void __exit edac_mc_sysfs_exit(void)`
`1161`	`1161`	`{`
`1162`		`- put_device(mci_pdev);`
`1163`	`1162`	`device_del(mci_pdev);`
	`1163`	`+ put_device(mci_pdev);`
`1164`	`1164`	`edac_put_sysfs_subsys();`
`1165`		`- kfree(mci_pdev);`
`1166`	`1165`	`}`