projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 11b2118)
s390/cio: fix use-after-free in ccw_device_destroy_console
authorQinglang Miao <miaoqinglang@huawei.com>
Tue, 1 Dec 2020 06:31:50 +0000 (14:31 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 30 Dec 2020 10:53:46 +0000 (11:53 +0100)
[ Upstream commit 14d4c4fa46eeaa3922e8e1c4aa727eb0a1412804 ]

Use of sch->dev reference after the put_device() call could trigger
the use-after-free bugs.

Fix this by simply adjusting the position of put_device.

Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
Reported-by: Hulk Robot <hulkci@huawei.com>
Suggested-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
[vneethv@linux.ibm.com: Slight modification in the commit-message]
Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/s390/cio/device.c patch | blob | history

diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index b29fe8d..33280ca 100644 (file)
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev)
        struct io_subchannel_private *io_priv = to_io_private(sch);
 
        set_io_private(sch, NULL);
-       put_device(&sch->dev);
-       put_device(&cdev->dev);
        dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area),
                          io_priv->dma_area, io_priv->dma_area_dma);
+       put_device(&sch->dev);
+       put_device(&cdev->dev);
        kfree(io_priv);
 }