On (Fri) 19 Jul 2013 [11:21:47], Jason Wang wrote: > On 07/19/2013 04:16 AM, Amit Shah wrote: > > diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c > > index b04ec95..6bf0df3 100644 > > --- a/drivers/char/virtio_console.c > > +++ b/drivers/char/virtio_console.c > > @@ -1501,14 +1501,6 @@ static void remove_port(struct kref *kref) > > > > port = container_of(kref, struct port, kref); > > > > - sysfs_remove_group(&port->dev->kobj, &port_attribute_group); > > - device_destroy(pdrvdata.class, port->dev->devt); > > - cdev_del(port->cdev); > > - > > - kfree(port->name); > > - > > - debugfs_remove(port->debugfs_file); > > - > > kfree(port); > > } > > > > @@ -1566,6 +1558,14 @@ static void unplug_port(struct port *port) > > */ > > port->portdev = NULL; > > > > + sysfs_remove_group(&port->dev->kobj, &port_attribute_group); > > + device_destroy(pdrvdata.class, port->dev->devt); > > + cdev_del(port->cdev); > > + > > + kfree(port->name); > > + > > + debugfs_remove(port->debugfs_file); > > + > > /* > > * Locks around here are not necessary - a port can't be > > * opened after we removed the port struct from ports_list > > Should we remove debugfs file before kfree()? Otherwise looks like a > use-after-free if user access debugfs after kfree(). It is removed before kfree() -- kfree() is called in remove_port(), which is called when all the references are dropped. (Did you confuse kfree(port->name) with kfree(port)?) Thanks, Amit _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/virtualization
