On Fri, Apr 17, 2015 at 09:50:56AM +0200, Jens Wiklander wrote: > + teedev = devm_kzalloc(dev, sizeof(*teedev), GFP_KERNEL); [..] > + rc = misc_register(&teedev->miscdev); [..] > +void tee_unregister(struct tee_device *teedev) > +{ [..] > + misc_deregister(&teedev->miscdev); > +} [..] >+static int optee_remove(struct platform_device *pdev) >+{ >+ tee_unregister(optee->teedev); Isn't that a potential use after free? AFAIK misc_deregister does not guarentee the miscdev will no longer be accessed after it returns, and the devm will free it after optee_remove returns. Memory backing a stuct device needs to be freed via the release function. We have been going through this for a while with TPM - it seems like using misc devices dynamically is not a good idea. Manage your own struct device directly.. Jason -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html