diff options
author | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2013-12-04 14:29:11 +0100 |
---|---|---|
committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2013-12-16 14:37:45 +0100 |
commit | 03439e7d0a7ab3d77a74523b9ba64736c0fc28de (patch) | |
tree | e1787c15affd7f550843bd95022ae0ee1fc16135 /drivers/s390/char/tty3270.c | |
parent | c63badebfebacdba827ab1cc1d420fc81bd8d818 (diff) | |
download | op-kernel-dev-03439e7d0a7ab3d77a74523b9ba64736c0fc28de.zip op-kernel-dev-03439e7d0a7ab3d77a74523b9ba64736c0fc28de.tar.gz |
s390/3270: fix use after free of tty3270_screen structure
The deactivation and freeing of the tty view of the 3270 device
can race with a tty3270_update invocation via the update timer.
To fix this move the del_timer_sync call for the update timer from
tty3270_free_view to tty3270_free prior to the tty3270_free_screen
call.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390/char/tty3270.c')
-rw-r--r-- | drivers/s390/char/tty3270.c | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c index 3f4ca4e..07cf182 100644 --- a/drivers/s390/char/tty3270.c +++ b/drivers/s390/char/tty3270.c @@ -125,10 +125,7 @@ static void tty3270_resize_work(struct work_struct *work); */ static void tty3270_set_timer(struct tty3270 *tp, int expires) { - if (expires == 0) - del_timer(&tp->timer); - else - mod_timer(&tp->timer, jiffies + expires); + mod_timer(&tp->timer, jiffies + expires); } /* @@ -744,7 +741,6 @@ tty3270_free_view(struct tty3270 *tp) { int pages; - del_timer_sync(&tp->timer); kbd_free(tp->kbd); raw3270_request_free(tp->kreset); raw3270_request_free(tp->read); @@ -877,6 +873,7 @@ tty3270_free(struct raw3270_view *view) { struct tty3270 *tp = container_of(view, struct tty3270, view); + del_timer_sync(&tp->timer); tty3270_free_screen(tp->screen, tp->view.rows); tty3270_free_view(tp); } |