On Mon, Jan 28, 2019 at 09:31:30AM -0800, Zubin Mithra wrote: > From: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx> > > commit 726e41097920a73e4c7c33385dcc0debb1281e18 upstream > > For devices with a class, we create a "glue" directory between > the parent device and the new device with the class name. > > This directory is never "explicitely" removed when empty however, > this is left to the implicit sysfs removal done by kobject_release() > when the object loses its last reference via kobject_put(). > > This is problematic because as long as it's not been removed from > sysfs, it is still present in the class kset and in sysfs directory > structure. > > The presence in the class kset exposes a use after free bug fixed > by the previous patch, but the presence in sysfs means that until > the kobject is released, which can take a while (especially with > kobject debugging), any attempt at re-creating such as binding a > new device for that class/parent pair, will result in a sysfs > duplicate file name error. > > This fixes it by instead doing an explicit kobject_del() when > the glue dir is empty, by keeping track of the number of > child devices of the gluedir. > > This is made easy by the fact that all glue dir operations are > done with a global mutex, and there's already a function > (cleanup_glue_dir) called in all the right places taking that > mutex that can be enhanced for this. It appears that this was > in fact the intent of the function, but the implementation was > wrong. > > Backport Note: kref_read() is not present in 4.4. Hence, > use atomic_read(&kref.refcount) instead of kref_read(&kref). > > Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx> > Acked-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx> > --- > drivers/base/core.c | 2 ++ > include/linux/kobject.h | 17 +++++++++++++++++ > 2 files changed, 19 insertions(+) Now queued up everywhere, thanks. greg k-h
