Commit be7a2ddc authored by Sebastian Ott's avatar Sebastian Ott Committed by Martin Schwidefsky

[S390] cio: ensure to hold a reference for deferred deregistration

Ensure to always hold an extra device reference for scheduling a
subchannel deregistration, by moving the get_device to
ccw_device_schedule_sch_unregister. This fixes an use after free
error in ccw_device_call_sch_unregister where put_device was called
on an already freed device structure.
Signed-off-by: default avatarSebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent e2910bcf
...@@ -333,15 +333,15 @@ ccw_device_remove_disconnected(struct ccw_device *cdev) ...@@ -333,15 +333,15 @@ ccw_device_remove_disconnected(struct ccw_device *cdev)
* Forced offline in disconnected state means * Forced offline in disconnected state means
* 'throw away device'. * 'throw away device'.
*/ */
/* Get cdev reference for workqueue processing. */
if (!get_device(&cdev->dev))
return;
if (ccw_device_is_orphan(cdev)) { if (ccw_device_is_orphan(cdev)) {
/* /*
* Deregister ccw device. * Deregister ccw device.
* Unfortunately, we cannot do this directly from the * Unfortunately, we cannot do this directly from the
* attribute method. * attribute method.
*/ */
/* Get cdev reference for workqueue processing. */
if (!get_device(&cdev->dev))
return;
spin_lock_irqsave(cdev->ccwlock, flags); spin_lock_irqsave(cdev->ccwlock, flags);
cdev->private->state = DEV_STATE_NOT_OPER; cdev->private->state = DEV_STATE_NOT_OPER;
spin_unlock_irqrestore(cdev->ccwlock, flags); spin_unlock_irqrestore(cdev->ccwlock, flags);
...@@ -1032,6 +1032,9 @@ static void ccw_device_call_sch_unregister(struct work_struct *work) ...@@ -1032,6 +1032,9 @@ static void ccw_device_call_sch_unregister(struct work_struct *work)
void ccw_device_schedule_sch_unregister(struct ccw_device *cdev) void ccw_device_schedule_sch_unregister(struct ccw_device *cdev)
{ {
/* Get cdev reference for workqueue processing. */
if (!get_device(&cdev->dev))
return;
PREPARE_WORK(&cdev->private->kick_work, PREPARE_WORK(&cdev->private->kick_work,
ccw_device_call_sch_unregister); ccw_device_call_sch_unregister);
queue_work(slow_path_wq, &cdev->private->kick_work); queue_work(slow_path_wq, &cdev->private->kick_work);
...@@ -1052,9 +1055,6 @@ io_subchannel_recog_done(struct ccw_device *cdev) ...@@ -1052,9 +1055,6 @@ io_subchannel_recog_done(struct ccw_device *cdev)
/* Device did not respond in time. */ /* Device did not respond in time. */
case DEV_STATE_NOT_OPER: case DEV_STATE_NOT_OPER:
cdev->private->flags.recog_done = 1; cdev->private->flags.recog_done = 1;
/* Remove device found not operational. */
if (!get_device(&cdev->dev))
break;
ccw_device_schedule_sch_unregister(cdev); ccw_device_schedule_sch_unregister(cdev);
if (atomic_dec_and_test(&ccw_device_init_count)) if (atomic_dec_and_test(&ccw_device_init_count))
wake_up(&ccw_device_init_wq); wake_up(&ccw_device_init_wq);
...@@ -1565,8 +1565,6 @@ static int purge_fn(struct device *dev, void *data) ...@@ -1565,8 +1565,6 @@ static int purge_fn(struct device *dev, void *data)
spin_unlock_irq(cdev->ccwlock); spin_unlock_irq(cdev->ccwlock);
if (!unreg) if (!unreg)
goto out; goto out;
if (!get_device(&cdev->dev))
goto out;
CIO_MSG_EVENT(3, "ccw: purging 0.%x.%04x\n", priv->dev_id.ssid, CIO_MSG_EVENT(3, "ccw: purging 0.%x.%04x\n", priv->dev_id.ssid,
priv->dev_id.devno); priv->dev_id.devno);
ccw_device_schedule_sch_unregister(cdev); ccw_device_schedule_sch_unregister(cdev);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment