From: Qinglang Miao miaoqinglang@huawei.com
[ Upstream commit 14d4c4fa46eeaa3922e8e1c4aa727eb0a1412804 ]
Use of sch->dev reference after the put_device() call could trigger the use-after-free bugs.
Fix this by simply adjusting the position of put_device.
Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support") Reported-by: Hulk Robot hulkci@huawei.com Suggested-by: Cornelia Huck cohuck@redhat.com Signed-off-by: Qinglang Miao miaoqinglang@huawei.com Reviewed-by: Cornelia Huck cohuck@redhat.com Reviewed-by: Vineeth Vijayan vneethv@linux.ibm.com [vneethv@linux.ibm.com: Slight modification in the commit-message] Signed-off-by: Vineeth Vijayan vneethv@linux.ibm.com Signed-off-by: Heiko Carstens hca@linux.ibm.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/s390/cio/device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c index b29fe8d50baf2..33280ca181e95 100644 --- a/drivers/s390/cio/device.c +++ b/drivers/s390/cio/device.c @@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev) struct io_subchannel_private *io_priv = to_io_private(sch);
set_io_private(sch, NULL); - put_device(&sch->dev); - put_device(&cdev->dev); dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area), io_priv->dma_area, io_priv->dma_area_dma); + put_device(&sch->dev); + put_device(&cdev->dev); kfree(io_priv); }