提交 03439e7d 编写于 作者: M Martin Schwidefsky

s390/3270: fix use after free of tty3270_screen structure

The deactivation and freeing of the tty view of the 3270 device
can race with a tty3270_update invocation via the update timer.
To fix this move the del_timer_sync call for the update timer from
tty3270_free_view to tty3270_free prior to the tty3270_free_screen
call.
Signed-off-by: NMartin Schwidefsky <schwidefsky@de.ibm.com>
上级 c63badeb
......@@ -125,10 +125,7 @@ static void tty3270_resize_work(struct work_struct *work);
*/
static void tty3270_set_timer(struct tty3270 *tp, int expires)
{
if (expires == 0)
del_timer(&tp->timer);
else
mod_timer(&tp->timer, jiffies + expires);
mod_timer(&tp->timer, jiffies + expires);
}
/*
......@@ -744,7 +741,6 @@ tty3270_free_view(struct tty3270 *tp)
{
int pages;
del_timer_sync(&tp->timer);
kbd_free(tp->kbd);
raw3270_request_free(tp->kreset);
raw3270_request_free(tp->read);
......@@ -877,6 +873,7 @@ tty3270_free(struct raw3270_view *view)
{
struct tty3270 *tp = container_of(view, struct tty3270, view);
del_timer_sync(&tp->timer);
tty3270_free_screen(tp->screen, tp->view.rows);
tty3270_free_view(tp);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册