diff options
| author | Sebastian Ott <sebott@linux.vnet.ibm.com> | 2009-09-11 10:28:26 +0200 |
|---|---|---|
| committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2009-09-11 10:29:40 +0200 |
| commit | 3b554a14f4bdf754ba9d2f64c2b6edf8dafe93b9 (patch) | |
| tree | a01fc109cd60297d404e0e21f7457bd8e15f372b /drivers/s390 | |
| parent | 6ee4fec6be06f7d138860b37cba58982cc3ccb16 (diff) | |
| download | op-kernel-dev-3b554a14f4bdf754ba9d2f64c2b6edf8dafe93b9.zip op-kernel-dev-3b554a14f4bdf754ba9d2f64c2b6edf8dafe93b9.tar.gz | |
[S390] cio: move final put_device to ccw_device_unregister
We use a test_and_clear_bit to prevent a device from being
unregistered twice. Unfortunately in this cases the "final"
put_device (from device_initialize) was issued more than once,
resulting in an use after free error. Fix this by moving this
put_device to ccw_device_unregister.
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
| -rw-r--r-- | drivers/s390/cio/device.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c index 6b770f8..345a61f 100644 --- a/drivers/s390/cio/device.c +++ b/drivers/s390/cio/device.c @@ -307,8 +307,11 @@ int ccw_device_is_orphan(struct ccw_device *cdev) static void ccw_device_unregister(struct ccw_device *cdev) { - if (test_and_clear_bit(1, &cdev->private->registered)) + if (test_and_clear_bit(1, &cdev->private->registered)) { device_del(&cdev->dev); + /* Release reference from device_initialize(). */ + put_device(&cdev->dev); + } } static void ccw_device_remove_orphan_cb(struct work_struct *work) @@ -319,7 +322,6 @@ static void ccw_device_remove_orphan_cb(struct work_struct *work) priv = container_of(work, struct ccw_device_private, kick_work); cdev = priv->cdev; ccw_device_unregister(cdev); - put_device(&cdev->dev); /* Release cdev reference for workqueue processing. */ put_device(&cdev->dev); } @@ -1358,7 +1360,6 @@ io_subchannel_remove (struct subchannel *sch) cdev->private->state = DEV_STATE_NOT_OPER; spin_unlock_irqrestore(cdev->ccwlock, flags); ccw_device_unregister(cdev); - put_device(&cdev->dev); kfree(sch->private); sysfs_remove_group(&sch->dev.kobj, &io_subchannel_attr_group); return 0; |
