summaryrefslogtreecommitdiffstats
path: root/drivers/s390/cio/device.c
diff options
context:
space:
mode:
authorSebastian Ott <sebott@linux.vnet.ibm.com>2015-09-07 19:51:39 +0200
committerMartin Schwidefsky <schwidefsky@de.ibm.com>2015-10-14 14:32:02 +0200
commita6ef15652d260f754ead223d0c55434a3a39fe1d (patch)
treeb2a872f3b03d863b648a1e796d41ef4f20e46761 /drivers/s390/cio/device.c
parents390/cio: use device_lock during cmb activation (diff)
downloadlinux-a6ef15652d260f754ead223d0c55434a3a39fe1d.tar.xz
linux-a6ef15652d260f754ead223d0c55434a3a39fe1d.zip
s390/cio: fix use after free in cmb processing
Devices with active channel measurement are included in a list. When a device is removed without deactivating channel measurement first the list_head is freed but still used. Fix this by making sure that channel measurement is deactivated during device deregistration. For devices that we deregister because they are no longer accessible deactivating channel measurement will fail. In this case we can report success because the FW will no longer access the measurement block. In addition to these steps keep an extra device reference while channel measurement is active. Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390/cio/device.c')
-rw-r--r--drivers/s390/cio/device.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index 20b92c703944..6aae68412802 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1787,6 +1787,8 @@ static int ccw_device_remove(struct device *dev)
cdev->drv = NULL;
cdev->private->int_class = IRQIO_CIO;
spin_unlock_irq(cdev->ccwlock);
+ __disable_cmf(cdev);
+
return 0;
}