diff options
author | Gerald Schaefer <gerald.schaefer@de.ibm.com> | 2009-11-13 09:43:51 -0500 |
---|---|---|
committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2009-11-13 09:45:03 -0500 |
commit | ccaf6553963bc6304d5820962a08a4397d0a2dc2 (patch) | |
tree | 55b301555c75a43fd905c4cdf5af175c1e0d29bb | |
parent | 156171c71a0dc4bce12b4408bb1591f8fe32dc1a (diff) |
[S390] monreader: fix use after free bug with suspend/resume
The monreader device driver doesn't set dev->driver_data to NULL after
freeing the corresponding data structure. This leads to a use after
free bug in the freeze/thaw suspend/resume functions after the device
has been opened and closed once. Fix this by clearing dev->driver_data
in the close() function.
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-rw-r--r-- | drivers/s390/char/monreader.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/s390/char/monreader.c b/drivers/s390/char/monreader.c index 89ece1c235aa..66e21dd23154 100644 --- a/drivers/s390/char/monreader.c +++ b/drivers/s390/char/monreader.c | |||
@@ -357,6 +357,7 @@ static int mon_close(struct inode *inode, struct file *filp) | |||
357 | atomic_set(&monpriv->msglim_count, 0); | 357 | atomic_set(&monpriv->msglim_count, 0); |
358 | monpriv->write_index = 0; | 358 | monpriv->write_index = 0; |
359 | monpriv->read_index = 0; | 359 | monpriv->read_index = 0; |
360 | dev_set_drvdata(monreader_device, NULL); | ||
360 | 361 | ||
361 | for (i = 0; i < MON_MSGLIM; i++) | 362 | for (i = 0; i < MON_MSGLIM; i++) |
362 | kfree(monpriv->msg_array[i]); | 363 | kfree(monpriv->msg_array[i]); |