提交 ccaf6553 编写于 作者: G Gerald Schaefer 提交者: Martin Schwidefsky

[S390] monreader: fix use after free bug with suspend/resume

The monreader device driver doesn't set dev->driver_data to NULL after
freeing the corresponding data structure. This leads to a use after
free bug in the freeze/thaw suspend/resume functions after the device
has been opened and closed once. Fix this by clearing dev->driver_data
in the close() function.
Signed-off-by: NGerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
上级 156171c7
...@@ -357,6 +357,7 @@ static int mon_close(struct inode *inode, struct file *filp) ...@@ -357,6 +357,7 @@ static int mon_close(struct inode *inode, struct file *filp)
atomic_set(&monpriv->msglim_count, 0); atomic_set(&monpriv->msglim_count, 0);
monpriv->write_index = 0; monpriv->write_index = 0;
monpriv->read_index = 0; monpriv->read_index = 0;
dev_set_drvdata(monreader_device, NULL);
for (i = 0; i < MON_MSGLIM; i++) for (i = 0; i < MON_MSGLIM; i++)
kfree(monpriv->msg_array[i]); kfree(monpriv->msg_array[i]);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册