diff options
author | Gerald Schaefer <gerald.schaefer@de.ibm.com> | 2009-11-13 15:43:51 +0100 |
---|---|---|
committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2009-11-13 15:45:03 +0100 |
commit | ccaf6553963bc6304d5820962a08a4397d0a2dc2 (patch) | |
tree | 55b301555c75a43fd905c4cdf5af175c1e0d29bb /drivers/s390 | |
parent | 156171c71a0dc4bce12b4408bb1591f8fe32dc1a (diff) | |
download | op-kernel-dev-ccaf6553963bc6304d5820962a08a4397d0a2dc2.zip op-kernel-dev-ccaf6553963bc6304d5820962a08a4397d0a2dc2.tar.gz |
[S390] monreader: fix use after free bug with suspend/resume
The monreader device driver doesn't set dev->driver_data to NULL after
freeing the corresponding data structure. This leads to a use after
free bug in the freeze/thaw suspend/resume functions after the device
has been opened and closed once. Fix this by clearing dev->driver_data
in the close() function.
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r-- | drivers/s390/char/monreader.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/s390/char/monreader.c b/drivers/s390/char/monreader.c index 89ece1c..66e21dd 100644 --- a/drivers/s390/char/monreader.c +++ b/drivers/s390/char/monreader.c @@ -357,6 +357,7 @@ static int mon_close(struct inode *inode, struct file *filp) atomic_set(&monpriv->msglim_count, 0); monpriv->write_index = 0; monpriv->read_index = 0; + dev_set_drvdata(monreader_device, NULL); for (i = 0; i < MON_MSGLIM; i++) kfree(monpriv->msg_array[i]); |