Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4222269pxu; Mon, 30 Nov 2020 22:27:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJwTyghdZKSvu4ukMuraeEr0zx2RPWkDz8ou/42L9EDzCJZruNVhwCXHsduBIq62Y5vkvn3O X-Received: by 2002:a50:fa44:: with SMTP id c4mr609748edq.197.1606804065425; Mon, 30 Nov 2020 22:27:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606804065; cv=none; d=google.com; s=arc-20160816; b=Bo623uaBurdVHjAnXsIMKRoEjgOBJMK2ruCmMtW0mk6BTtrmGm8BgHonVrmKjBrpWl cRkjsXWshen7tu/ZCfbnxG5Xrc3Ks6ViRHTvlnvA1B82Eivsa1CiNYn19pdLjT4Gpqeu KC0zd0kqN+qj4fPELjjqv7nMYyqg8WCs0/XurZBt69LEa55sZ6RjSgQNdKm7hJmbc/3Z pnfESkKKz9+oHVg2ZUCe/odMuKzSnVupHU0LkSBqxCZ3BzBmDKNb+7JmNJZzKN33Hpkm tHp2Fawarq8LB0sV1jZzlMe4BLEEzQqR/5CwSub28oZdDkYNtP6sVfaBVKYmARL5FENc QVTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=ZC3v7GfPik2zEErPaDlvuEtk+ODQX5kz9ZfYbZBRACA=; b=MwGUq9e5C44f1L87RMqmgY/nikVrR7A7CeKpaXX99AkSjD3vlIS2yhubngbYapX37F N+gjxmfAEYqBhoBlERU3JYs+c+W/B+ypDzTnNHfnlIN4M8ilrWVDoKnyo39ULS92OwsG Xwtj1Mu2CvYodMp7Uwhgr6tcKJvwiohK3qqFTwTSOkTDAb6nd6b1AthDy/yLOGvFnlJu nekMWeQ3yBv4dqnVU+slCERPuM7szfz+qWI5FGWbCHxk/zoApukT8KFqaVLZOPvNkri+ nDrC+E3m2uj5wi3+pi3gVBhftYbCLmtulYuDsHuv4IIDMZDmok3m8kwaHGKyafiWu8q0 q+9w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ec4si329992ejb.549.2020.11.30.22.27.22; Mon, 30 Nov 2020 22:27:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726938AbgLAGYu (ORCPT + 99 others); Tue, 1 Dec 2020 01:24:50 -0500 Received: from szxga04-in.huawei.com ([45.249.212.190]:8168 "EHLO szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726142AbgLAGYu (ORCPT ); Tue, 1 Dec 2020 01:24:50 -0500 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.58]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4ClX9P1PFPz15W1S; Tue, 1 Dec 2020 14:23:37 +0800 (CST) Received: from localhost.localdomain.localdomain (10.175.113.25) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.487.0; Tue, 1 Dec 2020 14:23:51 +0800 From: Qinglang Miao To: Cornelia Huck , Vineeth Vijayan , Peter Oberparleiter , "Heiko Carstens" , Vasily Gorbik , "Christian Borntraeger" CC: , , "Qinglang Miao" Subject: [PATCH] s390: cio: fix use-after-free in ccw_device_destroy_console Date: Tue, 1 Dec 2020 14:31:50 +0800 Message-ID: <20201201063150.82128-1-miaoqinglang@huawei.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.113.25] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org put_device calls release function which do kfree() inside. So following use of sch&cdev would cause use-after-free bugs. Fix these by simply adjusting the position of put_device. Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support") Reported-by: Hulk Robot Suggested-by: Cornelia Huck Signed-off-by: Qinglang Miao --- This patch is indeed a v2 of older one. Considering that the patch's name has changed, I think a normal prefix 'PATCH' is better. drivers/s390/cio/device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c index b29fe8d50..33280ca18 100644 --- a/drivers/s390/cio/device.c +++ b/drivers/s390/cio/device.c @@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev) struct io_subchannel_private *io_priv = to_io_private(sch); set_io_private(sch, NULL); - put_device(&sch->dev); - put_device(&cdev->dev); dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area), io_priv->dma_area, io_priv->dma_area_dma); + put_device(&sch->dev); + put_device(&cdev->dev); kfree(io_priv); } -- 2.23.0