From 3ec0a17ef5f4ea922b10ebfdb99473c4d8d6120d Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Tue, 7 Aug 2012 21:47:57 +0200 Subject: [PATCH] TTY: con3215, unset raw3215[line] raw3215[line] is set in probe, but not unset in remove. This will lead to random crashes if the device is removed and the corresponding tty opened later. open would dereference freed memory. So set raw3215[line] to NULL in remove to fix that. Signed-off-by: Jiri Slaby Cc: Martin Schwidefsky Cc: Heiko Carstens Cc: linux390@de.ibm.com Cc: linux-s390@vger.kernel.org Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman --- drivers/s390/char/con3215.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/s390/char/con3215.c b/drivers/s390/char/con3215.c index 6c0116d48c74..16554982671c 100644 --- a/drivers/s390/char/con3215.c +++ b/drivers/s390/char/con3215.c @@ -716,10 +716,17 @@ static int raw3215_probe (struct ccw_device *cdev) static void raw3215_remove (struct ccw_device *cdev) { struct raw3215_info *raw; + unsigned int line; ccw_device_set_offline(cdev); raw = dev_get_drvdata(&cdev->dev); if (raw) { + spin_lock(&raw3215_device_lock); + for (line = 0; line < NR_3215; line++) + if (raw3215[line] == raw) + break; + raw3215[line] = NULL; + spin_unlock(&raw3215_device_lock); dev_set_drvdata(&cdev->dev, NULL); raw3215_free_info(raw); } -- 2.20.1