use-after-free races have been seen due to the workqueue timer in the tty
structure going off after the tty was freed.

Fix that up by using cancel_scheduled_work() and flush_scheduled_work().



 drivers/char/tty_io.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletion(-)

diff -puN drivers/char/tty_io.c~tty-shutdown-race-fix drivers/char/tty_io.c
--- 25/drivers/char/tty_io.c~tty-shutdown-race-fix	2003-04-12 16:20:36.000000000 -0700
+++ 25-akpm/drivers/char/tty_io.c	2003-04-12 16:20:36.000000000 -0700
@@ -1286,7 +1286,14 @@ static void release_dev(struct file * fi
 	}
 	
 	/*
-	 * Make sure that the tty's task queue isn't activated. 
+	 * Prevent flush_to_ldisc() from rescheduling the work for later.  Then
+	 * kill any delayed work.
+	 */
+	clear_bit(TTY_DONT_FLIP, &tty->flags);
+	cancel_delayed_work(&tty->flip.work);
+
+	/*
+	 * Wait for ->hangup_work and ->flip.work handlers to terminate
 	 */
 	flush_scheduled_work();
 

_