Re: [OOPS][RESEND] 2.6.0-test4-mm4
From: Andrew Morton
Date: Tue Sep 02 2003 - 00:41:55 EST
Andrew Morton <akpm@xxxxxxxx> wrote:
>
> This should fix it up.
oops, that had a use-after-free as well.
I don't really see a sane way of maintaining kobj->k_name going into
t->release(), so the release() implementations will just have to handle a
NULL kobj->k_name.
diff -puN lib/kobject.c~kobject-unlimited-name-lengths-use-after-free-fix lib/kobject.c
--- 25/lib/kobject.c~kobject-unlimited-name-lengths-use-after-free-fix 2003-09-01 22:20:27.000000000 -0700
+++ 25-akpm/lib/kobject.c 2003-09-01 22:36:16.000000000 -0700
@@ -443,15 +443,20 @@ void kobject_cleanup(struct kobject * ko
{
struct kobj_type * t = get_ktype(kobj);
struct kset * s = kobj->kset;
+ char *name = NULL;
pr_debug("kobject %s: cleaning up\n",kobject_name(kobj));
+
+ if (kobj->k_name != kobj->name)
+ name = kobj->k_name;
+ kobj->k_name = NULL;
if (t && t->release)
t->release(kobj);
if (s)
kset_put(s);
- if (kobj->k_name != kobj->name)
- kfree(kobj->k_name);
- kobj->k_name = NULL;
+
+ if (name)
+ kfree(name);
}
/**
_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/