From 03439e7d0a7ab3d77a74523b9ba64736c0fc28de Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky Date: Wed, 4 Dec 2013 14:29:11 +0100 Subject: [PATCH] s390/3270: fix use after free of tty3270_screen structure The deactivation and freeing of the tty view of the 3270 device can race with a tty3270_update invocation via the update timer. To fix this move the del_timer_sync call for the update timer from tty3270_free_view to tty3270_free prior to the tty3270_free_screen call. Signed-off-by: Martin Schwidefsky --- drivers/s390/char/tty3270.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c index 3f4ca4e09a4c..07cf182c18f9 100644 --- a/drivers/s390/char/tty3270.c +++ b/drivers/s390/char/tty3270.c @@ -125,10 +125,7 @@ static void tty3270_resize_work(struct work_struct *work); */ static void tty3270_set_timer(struct tty3270 *tp, int expires) { - if (expires == 0) - del_timer(&tp->timer); - else - mod_timer(&tp->timer, jiffies + expires); + mod_timer(&tp->timer, jiffies + expires); } /* @@ -744,7 +741,6 @@ tty3270_free_view(struct tty3270 *tp) { int pages; - del_timer_sync(&tp->timer); kbd_free(tp->kbd); raw3270_request_free(tp->kreset); raw3270_request_free(tp->read); @@ -877,6 +873,7 @@ tty3270_free(struct raw3270_view *view) { struct tty3270 *tp = container_of(view, struct tty3270, view); + del_timer_sync(&tp->timer); tty3270_free_screen(tp->screen, tp->view.rows); tty3270_free_view(tp); }