Chris Down writes:
open(f); debugfs_file_get(f); fops->open(); inode->private = ps; debugfs_file_put(f);remove_printk_fmt_sec(); /* kfree ps */ read(f); debugfs_file_get(f); fops->read(); ps = inode->private; /* invalid */ debugfs_file_put(f);
Er, sorry, inode->private is populated at creation time, not at open(). The same general concern applies though -- as far as I can tell there's some period where we may be able to _read() and `ps` has already been freed.