CVE request: kernel: tty: make sure to flush any pending work when halting the ldisc

[Eugene Teo <eugeneteo () kernel sg>]

The tty ldisc code was rewritten to use proper reference counts (commits 
65b770468e98 and cbe9352fa08f) in order to avoid a race with hangup, but 
it also introduced another bug that can result in various problems such 
as a NULL pointer dereference in run_timer_softirq() or a BUG() in 
worker_thread. More info in the patch.

Upstream commit:
http://git.kernel.org/linus/5c58ceff103d8a654f24769bb1baaf84a841b0cc

Reproducer:
http://lkml.org/lkml/2009/8/20/27
http://lkml.org/lkml/2009/8/20/68

Backtrace:
http://lkml.org/lkml/2009/8/20/21

I believe this affects kernel versions greater than v2.6.26. The code in 
drivers/char/tty_ldisc.c was from drivers/char/tty_io.c before it was 
splitted into its own file in v2.6.27-rc1 (commit 01e1abb2). I did not 
investigate further.

Thanks, Eugene