From ccaf6553963bc6304d5820962a08a4397d0a2dc2 Mon Sep 17 00:00:00 2001 From: Gerald Schaefer Date: Fri, 13 Nov 2009 15:43:51 +0100 Subject: [S390] monreader: fix use after free bug with suspend/resume The monreader device driver doesn't set dev->driver_data to NULL after freeing the corresponding data structure. This leads to a use after free bug in the freeze/thaw suspend/resume functions after the device has been opened and closed once. Fix this by clearing dev->driver_data in the close() function. Signed-off-by: Gerald Schaefer Signed-off-by: Martin Schwidefsky --- drivers/s390/char/monreader.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/s390/char/monreader.c') diff --git a/drivers/s390/char/monreader.c b/drivers/s390/char/monreader.c index 89ece1c235aa..66e21dd23154 100644 --- a/drivers/s390/char/monreader.c +++ b/drivers/s390/char/monreader.c @@ -357,6 +357,7 @@ static int mon_close(struct inode *inode, struct file *filp) atomic_set(&monpriv->msglim_count, 0); monpriv->write_index = 0; monpriv->read_index = 0; + dev_set_drvdata(monreader_device, NULL); for (i = 0; i < MON_MSGLIM; i++) kfree(monpriv->msg_array[i]); -- cgit v1.2.3