From: Martin Schwidefsky Date: Wed, 4 Dec 2013 13:29:11 +0000 (+0100) Subject: s390/3270: fix use after free of tty3270_screen structure X-Git-Tag: firefly_0821_release~176^2~4660^2~35 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=03439e7d0a7ab3d77a74523b9ba64736c0fc28de;p=firefly-linux-kernel-4.4.55.git s390/3270: fix use after free of tty3270_screen structure The deactivation and freeing of the tty view of the 3270 device can race with a tty3270_update invocation via the update timer. To fix this move the del_timer_sync call for the update timer from tty3270_free_view to tty3270_free prior to the tty3270_free_screen call. Signed-off-by: Martin Schwidefsky --- diff --git a/drivers/s390/char/tty3270.c b/drivers/s390/char/tty3270.c index 3f4ca4e09a4c..07cf182c18f9 100644 --- a/drivers/s390/char/tty3270.c +++ b/drivers/s390/char/tty3270.c @@ -125,10 +125,7 @@ static void tty3270_resize_work(struct work_struct *work); */ static void tty3270_set_timer(struct tty3270 *tp, int expires) { - if (expires == 0) - del_timer(&tp->timer); - else - mod_timer(&tp->timer, jiffies + expires); + mod_timer(&tp->timer, jiffies + expires); } /* @@ -744,7 +741,6 @@ tty3270_free_view(struct tty3270 *tp) { int pages; - del_timer_sync(&tp->timer); kbd_free(tp->kbd); raw3270_request_free(tp->kreset); raw3270_request_free(tp->read); @@ -877,6 +873,7 @@ tty3270_free(struct raw3270_view *view) { struct tty3270 *tp = container_of(view, struct tty3270, view); + del_timer_sync(&tp->timer); tty3270_free_screen(tp->screen, tp->view.rows); tty3270_free_view(tp); }