From: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Date: Fri, 13 Nov 2009 14:43:51 +0000 (+0100)
Subject: [S390] monreader: fix use after free bug with suspend/resume
X-Git-Tag: upstream/snapshot3+hdmi~16582^2~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ccaf6553963bc6304d5820962a08a4397d0a2dc2;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

[S390] monreader: fix use after free bug with suspend/resume

The monreader device driver doesn't set dev->driver_data to NULL after
freeing the corresponding data structure. This leads to a use after
free bug in the freeze/thaw suspend/resume functions after the device
has been opened and closed once. Fix this by clearing dev->driver_data
in the close() function.

Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
---

diff --git a/drivers/s390/char/monreader.c b/drivers/s390/char/monreader.c
index 89ece1c..66e21dd 100644
--- a/drivers/s390/char/monreader.c
+++ b/drivers/s390/char/monreader.c
@@ -357,6 +357,7 @@ static int mon_close(struct inode *inode, struct file *filp)
 	atomic_set(&monpriv->msglim_count, 0);
 	monpriv->write_index  = 0;
 	monpriv->read_index   = 0;
+	dev_set_drvdata(monreader_device, NULL);
 
 	for (i = 0; i < MON_MSGLIM; i++)
 		kfree(monpriv->msg_array[i]);