put_device calls release function which do kfree() inside.
So following use of sch&cdev would cause use-after-free bugs.
Fix these by simply adjusting the position of put_device.
Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
Suggested-by: Cornelia Huck <cohuck@xxxxxxxxxx>
Signed-off-by: Qinglang Miao <miaoqinglang@xxxxxxxxxx>
---
This patch is indeed a v2 of older one. Considering that the
patch's name has changed, I think a normal prefix 'PATCH' is
better.
drivers/s390/cio/device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index b29fe8d50..33280ca18 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev)
struct io_subchannel_private *io_priv = to_io_private(sch);
set_io_private(sch, NULL);
- put_device(&sch->dev);
- put_device(&cdev->dev);
dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area),
io_priv->dma_area, io_priv->dma_area_dma);
+ put_device(&sch->dev);
+ put_device(&cdev->dev);
kfree(io_priv);
}
--
2.23.0
