s390/cio: fix use-after-free in ccw_device_destroy_console

Use of sch->dev reference after the put_device() call could trigger
the use-after-free bugs.

Fix this by simply adjusting the position of put_device.

Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
Reported-by: Hulk Robot <hulkci@huawei.com>
Suggested-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Vineeth Vijayan <vneethv@linux.ibm.com>
[vneethv@linux.ibm.com: Slight modification in the commit-message]
Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index 5fbc549786ab04a5aa349c4c82ff5b70ba09f091..e0005a4fc97861890902c3722d02249a6c0e3adc 100644 (file)
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1645,10 +1645,10 @@ void __init ccw_device_destroy_console(struct ccw_device *cdev)
        struct io_subchannel_private *io_priv = to_io_private(sch);
 
        set_io_private(sch, NULL);
-       put_device(&sch->dev);
-       put_device(&cdev->dev);
        dma_free_coherent(&sch->dev, sizeof(*io_priv->dma_area),
                          io_priv->dma_area, io_priv->dma_area_dma);
+       put_device(&sch->dev);
+       put_device(&cdev->dev);
        kfree(io_priv);
 }