blockdevice_unregister only calls devfs_remove on the root cdev and leaves the partition cdevs dangling. This doesn't break until the block device parent struct device is freed at which time, it will iterate over its cdevs to free them. If there's partitions there, list_del on the partitions triggers a use after free. Fix this by removing partitions whenever the master cdev is deleted. Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx> --- fs/devfs-core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/devfs-core.c b/fs/devfs-core.c index fef66e08e293..244f76f62c52 100644 --- a/fs/devfs-core.c +++ b/fs/devfs-core.c @@ -375,6 +375,7 @@ int devfs_create_link(struct cdev *cdev, const char *name) } INIT_LIST_HEAD(&new->links); + INIT_LIST_HEAD(&new->partitions); list_add_tail(&new->list, &cdev_list); list_add_tail(&new->link_entry, &cdev->links); @@ -396,6 +397,9 @@ int devfs_remove(struct cdev *cdev) list_for_each_entry_safe(c, tmp, &cdev->links, link_entry) devfs_remove(c); + list_for_each_entry_safe(c, tmp, &cdev->partitions, partition_entry) + cdevfs_del_partition(c); + if (cdev_is_partition(cdev)) list_del(&cdev->partition_entry); -- 2.39.2
