diff options
author | Sebastian Ott <sebott@linux.vnet.ibm.com> | 2009-09-11 04:28:23 -0400 |
---|---|---|
committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2009-09-11 04:29:39 -0400 |
commit | f014824ee72e66292c3b1172dc142f959b42e61b (patch) | |
tree | 34281651ecca3279d55df0db7fc28f942841319d /drivers/s390 | |
parent | 3f09bb8965cefe36f42a9ec09ebb821523eba530 (diff) |
[S390] cio: fix use after free in s390 debug feature
When using s390dbf with "%s" in sprintf format strings the string itself
is not copied to the dbf buffer.
Since in this case only pointers are stored in the s390dbf, we should
not use dev_name - which is bound to the lifetime of the device.
Reading this entry from s390dbf after the device was released will cause
an use after free error.
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r-- | drivers/s390/cio/device.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c index a50cfa51aa3c..6b770f8c0a89 100644 --- a/drivers/s390/cio/device.c +++ b/drivers/s390/cio/device.c | |||
@@ -2038,7 +2038,9 @@ static void __ccw_device_pm_restore(struct ccw_device *cdev) | |||
2038 | spin_unlock_irq(sch->lock); | 2038 | spin_unlock_irq(sch->lock); |
2039 | if (ret) { | 2039 | if (ret) { |
2040 | CIO_MSG_EVENT(0, "Couldn't start recognition for device " | 2040 | CIO_MSG_EVENT(0, "Couldn't start recognition for device " |
2041 | "%s (ret=%d)\n", dev_name(&cdev->dev), ret); | 2041 | "0.%x.%04x (ret=%d)\n", |
2042 | cdev->private->dev_id.ssid, | ||
2043 | cdev->private->dev_id.devno, ret); | ||
2042 | spin_lock_irq(sch->lock); | 2044 | spin_lock_irq(sch->lock); |
2043 | cdev->private->state = DEV_STATE_DISCONNECTED; | 2045 | cdev->private->state = DEV_STATE_DISCONNECTED; |
2044 | spin_unlock_irq(sch->lock); | 2046 | spin_unlock_irq(sch->lock); |
@@ -2101,8 +2103,9 @@ static int ccw_device_pm_restore(struct device *dev) | |||
2101 | } | 2103 | } |
2102 | /* check if the device id has changed */ | 2104 | /* check if the device id has changed */ |
2103 | if (sch->schib.pmcw.dev != cdev->private->dev_id.devno) { | 2105 | if (sch->schib.pmcw.dev != cdev->private->dev_id.devno) { |
2104 | CIO_MSG_EVENT(0, "resume: sch %s: failed (devno changed from " | 2106 | CIO_MSG_EVENT(0, "resume: sch 0.%x.%04x: failed (devno " |
2105 | "%04x to %04x)\n", dev_name(&sch->dev), | 2107 | "changed from %04x to %04x)\n", |
2108 | sch->schid.ssid, sch->schid.sch_no, | ||
2106 | cdev->private->dev_id.devno, | 2109 | cdev->private->dev_id.devno, |
2107 | sch->schib.pmcw.dev); | 2110 | sch->schib.pmcw.dev); |
2108 | goto out_unreg_unlock; | 2111 | goto out_unreg_unlock; |
@@ -2135,8 +2138,9 @@ static int ccw_device_pm_restore(struct device *dev) | |||
2135 | if (cm_enabled) { | 2138 | if (cm_enabled) { |
2136 | ret = ccw_set_cmf(cdev, 1); | 2139 | ret = ccw_set_cmf(cdev, 1); |
2137 | if (ret) { | 2140 | if (ret) { |
2138 | CIO_MSG_EVENT(2, "resume: cdev %s: cmf failed " | 2141 | CIO_MSG_EVENT(2, "resume: cdev 0.%x.%04x: cmf failed " |
2139 | "(rc=%d)\n", dev_name(&cdev->dev), ret); | 2142 | "(rc=%d)\n", cdev->private->dev_id.ssid, |
2143 | cdev->private->dev_id.devno, ret); | ||
2140 | ret = 0; | 2144 | ret = 0; |
2141 | } | 2145 | } |
2142 | } | 2146 | } |