Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp9087348pxu; Mon, 28 Dec 2020 06:19:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJzA2/Emaplv62IYZEHMw4CZ7Afm9+drbSWXC8zj9CPeqJLQBNkRawXt7+mE3zaUmMwYKl1s X-Received: by 2002:a50:bac4:: with SMTP id x62mr41651052ede.59.1609165171101; Mon, 28 Dec 2020 06:19:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609165171; cv=none; d=google.com; s=arc-20160816; b=z0n7dXKfj5cE01E45K8pxmg8KavjhUBunq+YVeszH/By16Hmlt5UsMFYfsLuE9Y6Es diiseqh2dEkWAN9azFAZKLMwTgU+iHdOVB6bS5Vs8uGpI7yuKR/uwVWaCy/OuRehrYwU Wxi3puM1UhjC2Zy7Fj+s54pTQrj5vBk0yZyVSeppw6X8ao2Klfwg+Ghq9IQjzyoY/Ei6 bUhO56v5zbXvzuWiTwfm4NeNqFScA6HJQMscKx2tOqH0+rrDb112FK7e4NsBYzML+Ogz ev76dMItT0s/ZeCTaCBcKEgUo2EAWIBaEevrKhsM0fADmqE5pffi/5Q731Tm/O1MWuc5 B6VQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=o93r269j2HNzEufNO2CXHKpgG8oVwW4Qx0BFBIgK3DU=; b=UKnSuX7Jf5+QNMSsBgG8GM4jK+H90duxOIBTLdmU9HtoUJXCVB5GmzekMlZ6/gN6Ug c+VSR9qypurwN8L/KFf1SAascVhgnGXBkzqCZmeOGVglFugjRRKP3jIEwxNsNEQDaF+O 6LTFsgpSzTeS0F55138vfh4UnQUrK/VmiuGQQxLYwyH6cpUewfQOHPX+4DPd0utTl7WC T510bQyG2BiKL46xXxqXUHVP24gjtf22AhuwpHkTTkXKmM75xy68IxzCe34QyViD2ROw QJTn17daYmBwgVs1Sxl5SE3PbepaU1uNCUFRqp9KuzUCT8PVVucWKA3FJM5clCHbaScf GlCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ABHfQBxb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n3si18361674ejx.102.2020.12.28.06.19.06; Mon, 28 Dec 2020 06:19:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ABHfQBxb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391790AbgL1OR1 (ORCPT + 99 others); Mon, 28 Dec 2020 09:17:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:52306 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2440203AbgL1OR0 (ORCPT ); Mon, 28 Dec 2020 09:17:26 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id BBD222063A; Mon, 28 Dec 2020 14:17:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1609165030; bh=E0AtVvM9J6+qU1oA0xg0oXB1ALa+lGHAU7dIFhTwAk0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ABHfQBxbTTUrjs65STmm57NKf5DHn7iI9MtzkxLF8fKSUXVMJYMGxfKH1kO59q+ad UftyrJmsM75mDDYtyXt4zy7pKtgnTHk/CkEzPYrBQqnAm5Iypz32qDyflRhs3Py4UY ydGJBBqeTGYRSRCUNz4d9ohVOzETs0qxwTX9AEjM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Cornelia Huck , Qinglang Miao , Vineeth Vijayan , Heiko Carstens , Sasha Levin Subject: [PATCH 5.10 386/717] s390/cio: fix use-after-free in ccw_device_destroy_console Date: Mon, 28 Dec 2020 13:46:24 +0100 Message-Id: <20201228125039.498060061@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201228125020.963311703@linuxfoundation.org> References: <20201228125020.963311703@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qinglang Miao [ Upstream commit 14d4c4fa46eeaa3922e8e1c4aa727eb0a1412804 ] Use of sch->dev reference after the put_device() call could trigger the use-after-free bugs. Fix this by simply adjusting the position of put_device. Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support") Reported-by: Hulk Robot Suggested-by: Cornelia Huck Signed-off-by: Qinglang Miao Reviewed-by: Cornelia Huck Reviewed-by: Vineeth Vijayan [vneethv@linux.ibm.com: Slight modification in the commit-message] Signed-off-by: Vineeth Vijayan Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin --- drivers/s390/cio/device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c index b29fe8d50baf2..33280ca181e95 100644 --- a/drivers/s390/cio/device.c +++ b/drivers/s390/cio/device.c @@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev) struct io_subchannel_private *io_priv = to_io_private(sch); set_io_private(sch, NULL); - put_device(&sch->dev); - put_device(&cdev->dev); dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area), io_priv->dma_area, io_priv->dma_area_dma); + put_device(&sch->dev); + put_device(&cdev->dev); kfree(io_priv); } -- 2.27.0