aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGerald Schaefer <gerald.schaefer@de.ibm.com>2009-11-13 09:43:51 -0500
committerMartin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com>2009-11-13 09:45:03 -0500
commitccaf6553963bc6304d5820962a08a4397d0a2dc2 (patch)
tree55b301555c75a43fd905c4cdf5af175c1e0d29bb
parent156171c71a0dc4bce12b4408bb1591f8fe32dc1a (diff)
[S390] monreader: fix use after free bug with suspend/resume
The monreader device driver doesn't set dev->driver_data to NULL after freeing the corresponding data structure. This leads to a use after free bug in the freeze/thaw suspend/resume functions after the device has been opened and closed once. Fix this by clearing dev->driver_data in the close() function. Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-rw-r--r--drivers/s390/char/monreader.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/s390/char/monreader.c b/drivers/s390/char/monreader.c
index 89ece1c235aa..66e21dd23154 100644
--- a/drivers/s390/char/monreader.c
+++ b/drivers/s390/char/monreader.c
@@ -357,6 +357,7 @@ static int mon_close(struct inode *inode, struct file *filp)
357 atomic_set(&monpriv->msglim_count, 0); 357 atomic_set(&monpriv->msglim_count, 0);
358 monpriv->write_index = 0; 358 monpriv->write_index = 0;
359 monpriv->read_index = 0; 359 monpriv->read_index = 0;
360 dev_set_drvdata(monreader_device, NULL);
360 361
361 for (i = 0; i < MON_MSGLIM; i++) 362 for (i = 0; i < MON_MSGLIM; i++)
362 kfree(monpriv->msg_array[i]); 363 kfree(monpriv->msg_array[i]);