From: Sebastian Ott <sebott@linux.vnet.ibm.com>
Date: Fri, 11 Sep 2009 08:28:23 +0000 (+0200)
Subject: [S390] cio: fix use after free in s390 debug feature
X-Git-Tag: upstream/snapshot3+hdmi~17702^2~44
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f014824ee72e66292c3b1172dc142f959b42e61b;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

[S390] cio: fix use after free in s390 debug feature

When using s390dbf with "%s" in sprintf format strings the string itself
is not copied to the dbf buffer.
Since in this case only pointers are stored in the s390dbf, we should
not use dev_name - which is bound to the lifetime of the device.
Reading this entry from s390dbf after the device was released will cause
an use after free error.

Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
---

diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index a50cfa5..6b770f8 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -2038,7 +2038,9 @@ static void __ccw_device_pm_restore(struct ccw_device *cdev)
 	spin_unlock_irq(sch->lock);
 	if (ret) {
 		CIO_MSG_EVENT(0, "Couldn't start recognition for device "
-			      "%s (ret=%d)\n", dev_name(&cdev->dev), ret);
+			      "0.%x.%04x (ret=%d)\n",
+			      cdev->private->dev_id.ssid,
+			      cdev->private->dev_id.devno, ret);
 		spin_lock_irq(sch->lock);
 		cdev->private->state = DEV_STATE_DISCONNECTED;
 		spin_unlock_irq(sch->lock);
@@ -2101,8 +2103,9 @@ static int ccw_device_pm_restore(struct device *dev)
 	}
 	/* check if the device id has changed */
 	if (sch->schib.pmcw.dev != cdev->private->dev_id.devno) {
-		CIO_MSG_EVENT(0, "resume: sch %s: failed (devno changed from "
-			      "%04x to %04x)\n", dev_name(&sch->dev),
+		CIO_MSG_EVENT(0, "resume: sch 0.%x.%04x: failed (devno "
+			      "changed from %04x to %04x)\n",
+			      sch->schid.ssid, sch->schid.sch_no,
 			      cdev->private->dev_id.devno,
 			      sch->schib.pmcw.dev);
 		goto out_unreg_unlock;
@@ -2135,8 +2138,9 @@ static int ccw_device_pm_restore(struct device *dev)
 	if (cm_enabled) {
 		ret = ccw_set_cmf(cdev, 1);
 		if (ret) {
-			CIO_MSG_EVENT(2, "resume: cdev %s: cmf failed "
-				      "(rc=%d)\n", dev_name(&cdev->dev), ret);
+			CIO_MSG_EVENT(2, "resume: cdev 0.%x.%04x: cmf failed "
+				      "(rc=%d)\n", cdev->private->dev_id.ssid,
+				      cdev->private->dev_id.devno, ret);
 			ret = 0;
 		}
 	}