From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , alan@lxorguk.ukuu.org.uk, Konstantin Khlebnikov , Denis Kirjanov , Mauro Carvalho Chehab , Borislav Petkov , Borislav Petkov Subject: [ 187/221] EDAC: Fix kernel panic on module unloading Date: Tue, 15 Jan 2013 10:51:54 -0800 Message-Id: <20130115185011.519323969@linuxfoundation.org> In-Reply-To: <20130115184958.025580322@linuxfoundation.org> References: <20130115184958.025580322@linuxfoundation.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.7-stable review patch. If anyone has any objections, please let me know. ------------------ From: Konstantin Khlebnikov commit 311bd84247ee0bedae6cdfbfc5e2c3450f9decd1 upstream. This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit(). mci_pdev has single reference and put_device() calls mc_attr_release() which calls kfree(). The following device_del() works with already released memory. An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great. Signed-off-by: Konstantin Khlebnikov Cc: Denis Kirjanov Cc: Mauro Carvalho Chehab Link: http://lkml.kernel.org/r/20121214110310.11019.21098.stgit@zurg Signed-off-by: Borislav Petkov [ a partial 3.7.y backport ] Signed-off-by: Borislav Petkov Signed-off-by: Greg Kroah-Hartman --- drivers/edac/edac_mc_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/edac/edac_mc_sysfs.c +++ b/drivers/edac/edac_mc_sysfs.c @@ -1145,7 +1145,7 @@ int __init edac_mc_sysfs_init(void) void __exit edac_mc_sysfs_exit(void) { - put_device(mci_pdev); device_del(mci_pdev); + put_device(mci_pdev); edac_put_sysfs_subsys(); }