MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-07-05 13:25:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

mtd: core: fix use-after-free caused by unbind

Browse Source 
mtd block device like /dev/mtdblock0 will be released by
del_mtd_blktrans_dev(), it will call  __put_mtd_device()
directly, because we will delete device together in
del_mtd_device() when exec was running and together with
unbinding device happend, adjust this delete process after
mtd block device's removing function will avoid this
use-aftr-free issue.

Signed-off-by: Liwei Song <liwei.song@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This commit is contained in:
Liwei Song 2025-06-23 17:01:58 +08:00 committed by Bruce Ashfield
parent cf4a4aafe3
commit 0adee81a50
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/mtd/mtdcore.c
View File

@ -762,17 +762,17 @@ int del_mtd_device(struct mtd_info *mtd)
goto out_error;
}
/* No need to get a refcount on the module containing
the notifier, since we hold the mtd_table_mutex */
list_for_each_entry(not, &mtd_notifiers, list)
not->remove(mtd);
while (master->mtd_event_remove) {
if (kref_read(&mtd->refcnt) == 1)
break;
__put_mtd_device(mtd);
}
/* No need to get a refcount on the module containing
the notifier, since we hold the mtd_table_mutex */
list_for_each_entry(not, &mtd_notifiers, list)
not->remove(mtd);
kref_put(&mtd->refcnt, mtd_device_release);
ret = 0;