commit bd1cb5de140d844f63389bf21b336c194a8c83a1
author Martin Schwidefsky <schwidefsky@de.ibm.com> Fri Mar 21 15:24:27 2014 +0100
committer Martin Schwidefsky <schwidefsky@de.ibm.com> Tue Apr 01 09:23:36 2014 +0200
tree bf9d6e30ce80c0cf8f82d70903dff29fbf328822
parent 0ccc8b7ac86053388e793bad20bd26bd777752eb

s390/3270: fix crash with multiple reset device requests

If the 3270 device is detached the initial reset device request will
stays pending until the device is operational. A second reset device
call will reuse the same request structure which will cause an oops.
Add a check to see if the reset device request is already pending
and do nothing in this case.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

drivers/s390/char/raw3270.c

diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c
index 9f849df..15b3459 100644
--- a/drivers/s390/char/raw3270.c
+++ b/drivers/s390/char/raw3270.c
@@ -632,6 +632,8 @@
 		raw3270_size_device_done(rp);
 	} else
 		raw3270_writesf_readpart(rp);
+	memset(&rp->init_reset, 0, sizeof(rp->init_reset));
+	memset(&rp->init_data, 0, sizeof(rp->init_data));
 }
 
 static int
@@ -639,9 +641,10 @@
 {
 	int rc;
 
+	/* Check if reset is already pending */
+	if (rp->init_reset.view)
+		return -EBUSY;
 	/* Store reset data stream to init_data/init_reset */
-	memset(&rp->init_reset, 0, sizeof(rp->init_reset));
-	memset(&rp->init_data, 0, sizeof(rp->init_data));
 	rp->init_data[0] = TW_KR;
 	rp->init_reset.ccw.cmd_code = TC_EWRITEA;
 	rp->init_reset.ccw.flags = CCW_FLAG_SLI;
@@ -850,7 +853,7 @@
 	char *ascebc;
 	int rc;
 
-	rp = kmalloc(sizeof(struct raw3270), GFP_KERNEL | GFP_DMA);
+	rp = kzalloc(sizeof(struct raw3270), GFP_KERNEL | GFP_DMA);
 	if (!rp)
 		return ERR_PTR(-ENOMEM);
 	ascebc = kmalloc(256, GFP_KERNEL);