TTY: con3215, unset raw3215[line]

raw3215[line] is set in probe, but not unset in remove. This will lead
to random crashes if the device is removed and the corresponding tty
opened later. open would dereference freed memory.

So set raw3215[line] to NULL in remove to fix that.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: linux390@de.ibm.com
Cc: linux-s390@vger.kernel.org
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/s390/char/con3215.c b/drivers/s390/char/con3215.c
index 6c0116d..1655498 100644 (file)
--- a/drivers/s390/char/con3215.c
+++ b/drivers/s390/char/con3215.c
@@ -716,10 +716,17 @@ static int raw3215_probe (struct ccw_device *cdev)
 static void raw3215_remove (struct ccw_device *cdev)
 {
        struct raw3215_info *raw;
+       unsigned int line;
 
        ccw_device_set_offline(cdev);
        raw = dev_get_drvdata(&cdev->dev);
        if (raw) {
+               spin_lock(&raw3215_device_lock);
+               for (line = 0; line < NR_3215; line++)
+                       if (raw3215[line] == raw)
+                               break;
+               raw3215[line] = NULL;
+               spin_unlock(&raw3215_device_lock);
                dev_set_drvdata(&cdev->dev, NULL);
                raw3215_free_info(raw);
        }