s390/3270: fix crash with multiple reset device requests
If the 3270 device is detached the initial reset device request will
stays pending until the device is operational. A second reset device
call will reuse the same request structure which will cause an oops.
Add a check to see if the reset device request is already pending
and do nothing in this case.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c
index 9f849df..15b3459 100644
--- a/drivers/s390/char/raw3270.c
+++ b/drivers/s390/char/raw3270.c
@@ -632,6 +632,8 @@
raw3270_size_device_done(rp);
} else
raw3270_writesf_readpart(rp);
+ memset(&rp->init_reset, 0, sizeof(rp->init_reset));
+ memset(&rp->init_data, 0, sizeof(rp->init_data));
}
static int
@@ -639,9 +641,10 @@
{
int rc;
+ /* Check if reset is already pending */
+ if (rp->init_reset.view)
+ return -EBUSY;
/* Store reset data stream to init_data/init_reset */
- memset(&rp->init_reset, 0, sizeof(rp->init_reset));
- memset(&rp->init_data, 0, sizeof(rp->init_data));
rp->init_data[0] = TW_KR;
rp->init_reset.ccw.cmd_code = TC_EWRITEA;
rp->init_reset.ccw.flags = CCW_FLAG_SLI;
@@ -850,7 +853,7 @@
char *ascebc;
int rc;
- rp = kmalloc(sizeof(struct raw3270), GFP_KERNEL | GFP_DMA);
+ rp = kzalloc(sizeof(struct raw3270), GFP_KERNEL | GFP_DMA);
if (!rp)
return ERR_PTR(-ENOMEM);
ascebc = kmalloc(256, GFP_KERNEL);