Commit ccaf6553 authored Nov 13, 2009 by Gerald Schaefer Committed by Martin Schwidefsky Nov 13, 2009

[S390] monreader: fix use after free bug with suspend/resume



The monreader device driver doesn't set dev->driver_data to NULL after
freeing the corresponding data structure. This leads to a use after
free bug in the freeze/thaw suspend/resume functions after the device
has been opened and closed once. Fix this by clearing dev->driver_data
in the close() function.

Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

parent 156171c7

drivers/s390/char/monreader.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -357,6 +357,7 @@ static int mon_close(struct inode inode, struct file filp)
		atomic_set(&monpriv->msglim_count, 0);
		monpriv->write_index = 0;
		monpriv->read_index = 0;
		dev_set_drvdata(monreader_device, NULL);

		for (i = 0; i < MON_MSGLIM; i++)
		kfree(monpriv->msg_array[i]);