From 311bd84247ee0bedae6cdfbfc5e2c3450f9decd1 Mon Sep 17 00:00:00 2001 From: Konstantin Khlebnikov Date: Fri, 14 Dec 2012 15:03:10 +0400 Subject: [PATCH] EDAC: Fix kernel panic on module unloading This patch fixes use-after-free and double-free bugs in edac_mc_sysfs_exit(). mci_pdev has single reference and put_device() calls mc_attr_release() which calls kfree(). The following device_del() works with already released memory. An another kfree() in edac_mc_sysfs_exit() releses the same memory again. Great. Signed-off-by: Konstantin Khlebnikov Cc: stable@vger.kernel.org # 3.[67] Cc: Denis Kirjanov Cc: Mauro Carvalho Chehab Link: http://lkml.kernel.org/r/20121214110310.11019.21098.stgit@zurg Signed-off-by: Borislav Petkov --- drivers/edac/edac_mc_sysfs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c index de2df92f9c77..a3b0119ecb00 100644 --- a/drivers/edac/edac_mc_sysfs.c +++ b/drivers/edac/edac_mc_sysfs.c @@ -1159,8 +1159,7 @@ int __init edac_mc_sysfs_init(void) void __exit edac_mc_sysfs_exit(void) { - put_device(mci_pdev); device_del(mci_pdev); + put_device(mci_pdev); edac_put_sysfs_subsys(); - kfree(mci_pdev); }