[S390] cio: ensure to hold a reference for deferred deregistration

Ensure to always hold an extra device reference for scheduling a subchannel deregistration, by moving the get_device to ccw_device_schedule_sch_unregister. This fixes an use after free error in ccw_device_call_sch_unregister where put_device was called on an already freed device structure. Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
author: Sebastian Ott <sebott@linux.vnet.ibm.com> 2009-09-11 04:28:20 -0400
committer: Martin Schwidefsky <schwidefsky@de.ibm.com> 2009-09-11 04:29:38 -0400
commit: be7a2ddce66991c05a1c6ad19790289591e53547 (patch)
tree: 89b74961a7da107e7eebe4486f48bb9c4426938e
parent: e2910bcf8ca762b306767a0894ab1987be014c9e (diff)
1 files changed, 6 insertions, 8 deletions
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index 19b4469a3ca4..a7a340b1d713 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -333,15 +333,15 @@ ccw_device_remove_disconnected(struct ccw_device *cdev)
         * Forced offline in disconnected state means
         * 'throw away device'.
         */
-        /* Get cdev reference for workqueue processing. */
-        if (!get_device(&cdev->dev))
-                return;
        if (ccw_device_is_orphan(cdev)) {
                /*
                 * Deregister ccw device.
                 * Unfortunately, we cannot do this directly from the
                 * attribute method.
                 */
+                /* Get cdev reference for workqueue processing. */
+                if (!get_device(&cdev->dev))
+                        return;
                spin_lock_irqsave(cdev->ccwlock, flags);
                cdev->private->state = DEV_STATE_NOT_OPER;
                spin_unlock_irqrestore(cdev->ccwlock, flags);
@@ -1032,6 +1032,9 @@ static void ccw_device_call_sch_unregister(struct work_struct *work)
 void ccw_device_schedule_sch_unregister(struct ccw_device *cdev)
 {
+        /* Get cdev reference for workqueue processing. */
+        if (!get_device(&cdev->dev))
+                return;
        PREPARE_WORK(&cdev->private->kick_work,
                     ccw_device_call_sch_unregister);
        queue_work(slow_path_wq, &cdev->private->kick_work);
@@ -1052,9 +1055,6 @@ io_subchannel_recog_done(struct ccw_device *cdev)
                /* Device did not respond in time. */
        case DEV_STATE_NOT_OPER:
                cdev->private->flags.recog_done = 1;
-                /* Remove device found not operational. */
-                if (!get_device(&cdev->dev))
-                        break;
                ccw_device_schedule_sch_unregister(cdev);
                if (atomic_dec_and_test(&ccw_device_init_count))
                        wake_up(&ccw_device_init_wq);
@@ -1565,8 +1565,6 @@ static int purge_fn(struct device *dev, void *data)
        spin_unlock_irq(cdev->ccwlock);
        if (!unreg)
                goto out;
-        if (!get_device(&cdev->dev))
-                goto out;
        CIO_MSG_EVENT(3, "ccw: purging 0.%x.%04x\n", priv->dev_id.ssid,
                      priv->dev_id.devno);
        ccw_device_schedule_sch_unregister(cdev);
author	Sebastian Ott <sebott@linux.vnet.ibm.com>	2009-09-11 04:28:20 -0400
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	2009-09-11 04:29:38 -0400
commit	be7a2ddce66991c05a1c6ad19790289591e53547 (patch)
tree	89b74961a7da107e7eebe4486f48bb9c4426938e
parent	e2910bcf8ca762b306767a0894ab1987be014c9e (diff)