commit 54ad64129cc166b9eec7151f3f9fc83589e33555
author Martin Schwidefsky <schwidefsky@de.ibm.com> Fri May 30 10:03:32 2008 +0200
committer Martin Schwidefsky <schwidefsky@de.ibm.com> Fri May 30 10:03:35 2008 +0200
tree 62653aafec6b61da39a58c4cac2c1b5e37860df1
parent c80ee724966a8ce9a68020d9095233fb1c6f57e8

[S390] 3270: fix race with stack local wait_queue_head_t.

A wait_event call with a stack local wait_queue_head_t structure that is
used to do the wake up for the wait_event is inherently racy. After the
wait_event finished the wake_up call might not have completed yet.
Remove the stack local wait_queue_head_t from raw3270_start_init and
use the global raw3270_wait_queue instead.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

drivers/s390/char/raw3270.c

diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c
index 0d98f1f..848ef7e 100644
--- a/drivers/s390/char/raw3270.c
+++ b/drivers/s390/char/raw3270.c
@@ -549,7 +549,6 @@
 		   struct raw3270_request *rq)
 {
 	unsigned long flags;
-	wait_queue_head_t wq;
 	int rc;
 
 #ifdef CONFIG_TN3270_CONSOLE
@@ -566,20 +565,20 @@
 		return rq->rc;
 	}
 #endif
-	init_waitqueue_head(&wq);
 	rq->callback = raw3270_wake_init;
-	rq->callback_data = &wq;
+	rq->callback_data = &raw3270_wait_queue;
 	spin_lock_irqsave(get_ccwdev_lock(view->dev->cdev), flags);
 	rc = __raw3270_start(rp, view, rq);
 	spin_unlock_irqrestore(get_ccwdev_lock(view->dev->cdev), flags);
 	if (rc)
 		return rc;
 	/* Now wait for the completion. */
-	rc = wait_event_interruptible(wq, raw3270_request_final(rq));
+	rc = wait_event_interruptible(raw3270_wait_queue,
+				      raw3270_request_final(rq));
 	if (rc == -ERESTARTSYS) {	/* Interrupted by a signal. */
 		raw3270_halt_io(view->dev, rq);
 		/* No wait for the halt to complete. */
-		wait_event(wq, raw3270_request_final(rq));
+		wait_event(raw3270_wait_queue, raw3270_request_final(rq));
 		return -ERESTARTSYS;
 	}
 	return rq->rc;