From 59b6573c72109c4c1bee928518949379da07c2da Mon Sep 17 00:00:00 2001
From: Andrew Morton <akpm@digeo.com>
Date: Mon, 14 Apr 2003 06:09:57 -0700
Subject: [PATCH] [PATCH] fix tty shutdown race

use-after-free races have been seen due to the workqueue timer in the tty
structure going off after the tty was freed.

Fix that up by using cancel_scheduled_work() and flush_scheduled_work().
---
 drivers/char/tty_io.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
index ff54795c42a5..acacb8cfe527 100644
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -1286,7 +1286,14 @@ static void release_dev(struct file * filp)
 	}
 	
 	/*
-	 * Make sure that the tty's task queue isn't activated. 
+	 * Prevent flush_to_ldisc() from rescheduling the work for later.  Then
+	 * kill any delayed work.
+	 */
+	clear_bit(TTY_DONT_FLIP, &tty->flags);
+	cancel_delayed_work(&tty->flip.work);
+
+	/*
+	 * Wait for ->hangup_work and ->flip.work handlers to terminate
 	 */
 	flush_scheduled_work();
 
-- 
2.30.9