blockdevice_unregister only calls devfs_remove on the root cdev and leaves the partition cdevs dangling. This doesn't break until the block device parent struct device is freed at which time, it will iterate over its cdevs to free them. If there's partitions there, list_del on the partitions triggers a use after free. This series fixes this by removing partitions whenever the master cdev is deleted. Code has been this way since for ever, but virtio deletes its devices on shutdown triggering this issue. As virtio isn't that critical, I think it's ok to not go into master right away and sit in next first. common/partitions.c | 12 +++++++---- drivers/base/driver.c | 2 +- drivers/of/partition.c | 16 +++++++-------- fs/devfs-core.c | 45 +++++++++++++++++++++++++++--------------- include/driver.h | 12 +++++++---- lib/bootstrap/devfs.c | 2 +- 6 files changed, 55 insertions(+), 34 deletions(-) -- 2.39.2
