Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4222269pxu;
        Mon, 30 Nov 2020 22:27:45 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwTyghdZKSvu4ukMuraeEr0zx2RPWkDz8ou/42L9EDzCJZruNVhwCXHsduBIq62Y5vkvn3O
X-Received: by 2002:a50:fa44:: with SMTP id c4mr609748edq.197.1606804065425;
        Mon, 30 Nov 2020 22:27:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606804065; cv=none;
        d=google.com; s=arc-20160816;
        b=Bo623uaBurdVHjAnXsIMKRoEjgOBJMK2ruCmMtW0mk6BTtrmGm8BgHonVrmKjBrpWl
         cRkjsXWshen7tu/ZCfbnxG5Xrc3Ks6ViRHTvlnvA1B82Eivsa1CiNYn19pdLjT4Gpqeu
         KC0zd0kqN+qj4fPELjjqv7nMYyqg8WCs0/XurZBt69LEa55sZ6RjSgQNdKm7hJmbc/3Z
         pnfESkKKz9+oHVg2ZUCe/odMuKzSnVupHU0LkSBqxCZ3BzBmDKNb+7JmNJZzKN33Hpkm
         tHp2Fawarq8LB0sV1jZzlMe4BLEEzQqR/5CwSub28oZdDkYNtP6sVfaBVKYmARL5FENc
         QVTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=ZC3v7GfPik2zEErPaDlvuEtk+ODQX5kz9ZfYbZBRACA=;
        b=MwGUq9e5C44f1L87RMqmgY/nikVrR7A7CeKpaXX99AkSjD3vlIS2yhubngbYapX37F
         N+gjxmfAEYqBhoBlERU3JYs+c+W/B+ypDzTnNHfnlIN4M8ilrWVDoKnyo39ULS92OwsG
         Xwtj1Mu2CvYodMp7Uwhgr6tcKJvwiohK3qqFTwTSOkTDAb6nd6b1AthDy/yLOGvFnlJu
         nekMWeQ3yBv4dqnVU+slCERPuM7szfz+qWI5FGWbCHxk/zoApukT8KFqaVLZOPvNkri+
         nDrC+E3m2uj5wi3+pi3gVBhftYbCLmtulYuDsHuv4IIDMZDmok3m8kwaHGKyafiWu8q0
         q+9w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ec4si329992ejb.549.2020.11.30.22.27.22;
        Mon, 30 Nov 2020 22:27:45 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726938AbgLAGYu (ORCPT <rfc822;shibaboy@gmail.com> + 99 others);
        Tue, 1 Dec 2020 01:24:50 -0500
Received: from szxga04-in.huawei.com ([45.249.212.190]:8168 "EHLO
        szxga04-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726142AbgLAGYu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 Dec 2020 01:24:50 -0500
Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.58])
        by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4ClX9P1PFPz15W1S;
        Tue,  1 Dec 2020 14:23:37 +0800 (CST)
Received: from localhost.localdomain.localdomain (10.175.113.25) by
 DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id
 14.3.487.0; Tue, 1 Dec 2020 14:23:51 +0800
From:   Qinglang Miao <miaoqinglang@huawei.com>
To:     Cornelia Huck <cohuck@redhat.com>,
        Vineeth Vijayan <vneethv@linux.ibm.com>,
        Peter Oberparleiter <oberpar@linux.ibm.com>,
        "Heiko Carstens" <hca@linux.ibm.com>,
        Vasily Gorbik <gor@linux.ibm.com>,
        "Christian Borntraeger" <borntraeger@de.ibm.com>
CC:     <linux-s390@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        "Qinglang Miao" <miaoqinglang@huawei.com>
Subject: [PATCH] s390: cio: fix use-after-free in ccw_device_destroy_console
Date:   Tue, 1 Dec 2020 14:31:50 +0800
Message-ID: <20201201063150.82128-1-miaoqinglang@huawei.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.175.113.25]
X-CFilter-Loop: Reflected
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

put_device calls release function which do kfree() inside.
So following use of sch&cdev would cause use-after-free bugs.

Fix these by simply adjusting the position of put_device.

Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
Reported-by: Hulk Robot <hulkci@huawei.com>
Suggested-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
---
 This patch is indeed a v2 of older one. Considering that the
 patch's name has changed, I think a normal prefix 'PATCH' is
 better.

 drivers/s390/cio/device.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index b29fe8d50..33280ca18 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev)
 	struct io_subchannel_private *io_priv = to_io_private(sch);
 
 	set_io_private(sch, NULL);
-	put_device(&sch->dev);
-	put_device(&cdev->dev);
 	dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area),
 			  io_priv->dma_area, io_priv->dma_area_dma);
+	put_device(&sch->dev);
+	put_device(&cdev->dev);
 	kfree(io_priv);
 }
 
-- 
2.23.0