diff options
| author | Ahmad Fatoum <ahmad@a3f.at> | 2020-09-13 19:55:05 +0200 |
|---|---|---|
| committer | Sascha Hauer <s.hauer@pengutronix.de> | 2020-09-14 15:06:21 +0200 |
| commit | 29f1c211d86ca09709f816722131240df49133c7 (patch) | |
| tree | 5ae4e8a07f2621ed3ce07de73ee2dc1ba36f37a9 /fs | |
| parent | 90566f5c77e06de1a031c2b30a7472362ff9a75e (diff) | |
| download | barebox-29f1c211d86ca09709f816722131240df49133c7.tar.gz barebox-29f1c211d86ca09709f816722131240df49133c7.tar.xz | |
fs: don't free device in remove callback
The probe doesn't allocate the device, so remove shouldn't free it
either. This fixes a use-after-free on barebox shutdown:
Iterating over the list of devices requires that remove callbacks
don't remove the devices. This happened to work so far, because
apparently not much new allocations are going on during barebox
shutdown, but let's do it right.
Signed-off-by: Ahmad Fatoum <ahmad@a3f.at>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/fs.c | 11 |
1 files changed, 9 insertions, 2 deletions
@@ -679,7 +679,6 @@ static void fs_remove(struct device_d *dev) mntput(fsdev->vfsmount.parent); free(fsdev->backingstore); - free(fsdev); } struct bus_type fs_bus = { @@ -759,10 +758,18 @@ static void init_super(struct super_block *sb) static int fsdev_umount(struct fs_device_d *fsdev) { + int ret; + if (fsdev->vfsmount.ref) return -EBUSY; - return unregister_device(&fsdev->dev); + ret = unregister_device(&fsdev->dev); + if (ret) + return ret; + + free(fsdev); + + return 0; } /** |