s390/3270: fix crash with multiple reset device requests

If the 3270 device is detached the initial reset device request will
stays pending until the device is operational. A second reset device
call will reuse the same request structure which will cause an oops.
Add a check to see if the reset device request is already pending
and do nothing in this case.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c
index 9f849df4381e1388c87b89bfc33f2b350ce54dda..15b3459f86562d2211dde73e507197bbea04b50e 100644 (file)
--- a/drivers/s390/char/raw3270.c
+++ b/drivers/s390/char/raw3270.c
@@ -632,6 +632,8 @@ raw3270_reset_device_cb(struct raw3270_request *rq, void *data)
                raw3270_size_device_done(rp);
        } else
                raw3270_writesf_readpart(rp);
+       memset(&rp->init_reset, 0, sizeof(rp->init_reset));
+       memset(&rp->init_data, 0, sizeof(rp->init_data));
 }
 
 static int
@@ -639,9 +641,10 @@ __raw3270_reset_device(struct raw3270 *rp)
 {
        int rc;
 
+       /* Check if reset is already pending */
+       if (rp->init_reset.view)
+               return -EBUSY;
        /* Store reset data stream to init_data/init_reset */
-       memset(&rp->init_reset, 0, sizeof(rp->init_reset));
-       memset(&rp->init_data, 0, sizeof(rp->init_data));
        rp->init_data[0] = TW_KR;
        rp->init_reset.ccw.cmd_code = TC_EWRITEA;
        rp->init_reset.ccw.flags = CCW_FLAG_SLI;
@@ -850,7 +853,7 @@ raw3270_create_device(struct ccw_device *cdev)
        char *ascebc;
        int rc;
 
-       rp = kmalloc(sizeof(struct raw3270), GFP_KERNEL | GFP_DMA);
+       rp = kzalloc(sizeof(struct raw3270), GFP_KERNEL | GFP_DMA);
        if (!rp)
                return ERR_PTR(-ENOMEM);
        ascebc = kmalloc(256, GFP_KERNEL);