On Tue, 2017-03-28 at 14:31 +0200, Greg Kroah-Hartman wrote:
[...]
> static void serial8250_io_resume(struct pci_dev *dev)
> {
> struct serial_private *priv = pci_get_drvdata(dev);
> + const struct pciserial_board *board;
>
> - if (priv)
> - pciserial_resume_ports(priv);
> + if (!priv)
> + return;
> +
> + board = priv->board;
> + kfree(priv);
> + priv = pciserial_init_ports(dev, board);
> +
> + if (!IS_ERR(priv)) {
> + pci_set_drvdata(dev, priv);
> + }
> }
On error, this leaves drvdata as a dangling pointer. Removing the
device or driver will then cause a use-after-free. (And setting drvdata
to NULL isn't enough to fix this as there is no null pointer check in
pciserial_remove_ports().)
Ben.
--
Ben Hutchings
Software Developer, Codethink Ltd.