thermal-int340x-fix-memory-leak-in-int3400_notify.patch
riscv-fix-oops-caused-by-irqsoff-latency-tracer.patch
tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch
+tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
+tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
+tty-n_gsm-fix-wrong-tty-control-line-for-flow-control.patch
+tty-n_gsm-fix-deadlock-in-gsmtty_open.patch
--- /dev/null
+From a2ab75b8e76e455af7867e3835fd9cdf386b508f Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:23 -0800
+Subject: tty: n_gsm: fix deadlock in gsmtty_open()
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit a2ab75b8e76e455af7867e3835fd9cdf386b508f upstream.
+
+In the current implementation the user may open a virtual tty which then
+could fail to establish the underlying DLCI. The function gsmtty_open()
+gets stuck in tty_port_block_til_ready() while waiting for a carrier rise.
+This happens if the remote side fails to acknowledge the link establishment
+request in time or completely. At some point gsm_dlci_close() is called
+to abort the link establishment attempt. The function tries to inform the
+associated virtual tty by performing a hangup. But the blocking loop within
+tty_port_block_til_ready() is not informed about this event.
+The patch proposed here fixes this by resetting the initialization state of
+the virtual tty to ensure the loop exits and triggering it to make
+tty_port_block_til_ready() return.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-7-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1426,6 +1426,9 @@ static void gsm_dlci_close(struct gsm_dl
+ if (dlci->addr != 0) {
+ tty_port_tty_hangup(&dlci->port, false);
+ kfifo_reset(&dlci->fifo);
++ /* Ensure that gsmtty_open() can return. */
++ tty_port_set_initialized(&dlci->port, 0);
++ wake_up_interruptible(&dlci->port.open_wait);
+ } else
+ dlci->gsm->dead = true;
+ wake_up(&dlci->gsm->event);
--- /dev/null
+From 96b169f05cdcc844b400695184d77e42071d14f2 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:20 -0800
+Subject: tty: n_gsm: fix NULL pointer access due to DLCI release
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit 96b169f05cdcc844b400695184d77e42071d14f2 upstream.
+
+The here fixed commit made the tty hangup asynchronous to avoid a circular
+locking warning. I could not reproduce this warning. Furthermore, due to
+the asynchronous hangup the function call now gets queued up while the
+underlying tty is being freed. Depending on the timing this results in a
+NULL pointer access in the global work queue scheduler. To be precise in
+process_one_work(). Therefore, the previous commit made the issue worse
+which it tried to fix.
+
+This patch fixes this by falling back to the old behavior which uses a
+blocking tty hangup call before freeing up the associated tty.
+
+Fixes: 7030082a7415 ("tty: n_gsm: avoid recursive locking with async port hangup")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-4-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1719,7 +1719,12 @@ static void gsm_dlci_release(struct gsm_
+ gsm_destroy_network(dlci);
+ mutex_unlock(&dlci->mutex);
+
+- tty_hangup(tty);
++ /* We cannot use tty_hangup() because in tty_kref_put() the tty
++ * driver assumes that the hangup queue is free and reuses it to
++ * queue release_one_tty() -> NULL pointer panic in
++ * process_one_work().
++ */
++ tty_vhangup(tty);
+
+ tty_port_tty_set(&dlci->port, NULL);
+ tty_kref_put(tty);
--- /dev/null
+From e3b7468f082d106459e86e8dc6fb9bdd65553433 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:19 -0800
+Subject: tty: n_gsm: fix proper link termination after failed open
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit e3b7468f082d106459e86e8dc6fb9bdd65553433 upstream.
+
+Trying to open a DLCI by sending a SABM frame may fail with a timeout.
+The link is closed on the initiator side without informing the responder
+about this event. The responder assumes the link is open after sending a
+UA frame to answer the SABM frame. The link gets stuck in a half open
+state.
+
+This patch fixes this by initiating the proper link termination procedure
+after link setup timeout instead of silently closing it down.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-3-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1485,7 +1485,7 @@ static void gsm_dlci_t1(struct timer_lis
+ dlci->mode = DLCI_MODE_ADM;
+ gsm_dlci_open(dlci);
+ } else {
+- gsm_dlci_close(dlci);
++ gsm_dlci_begin_close(dlci); /* prevent half open link */
+ }
+
+ break;
--- /dev/null
+From c19d93542a6081577e6da9bf5e887979c72e80c1 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:21 -0800
+Subject: tty: n_gsm: fix wrong tty control line for flow control
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit c19d93542a6081577e6da9bf5e887979c72e80c1 upstream.
+
+tty flow control is handled via gsmtty_throttle() and gsmtty_unthrottle().
+Both functions propagate the outgoing hardware flow control state to the
+remote side via MSC (modem status command) frames. The local state is taken
+from the RTS (ready to send) flag of the tty. However, RTS gets mapped to
+DTR (data terminal ready), which is wrong.
+This patch corrects this by mapping RTS to RTS.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-5-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -3178,9 +3178,9 @@ static void gsmtty_throttle(struct tty_s
+ if (dlci->state == DLCI_CLOSED)
+ return;
+ if (C_CRTSCTS(tty))
+- dlci->modem_tx &= ~TIOCM_DTR;
++ dlci->modem_tx &= ~TIOCM_RTS;
+ dlci->throttled = true;
+- /* Send an MSC with DTR cleared */
++ /* Send an MSC with RTS cleared */
+ gsmtty_modem_update(dlci, 0);
+ }
+
+@@ -3190,9 +3190,9 @@ static void gsmtty_unthrottle(struct tty
+ if (dlci->state == DLCI_CLOSED)
+ return;
+ if (C_CRTSCTS(tty))
+- dlci->modem_tx |= TIOCM_DTR;
++ dlci->modem_tx |= TIOCM_RTS;
+ dlci->throttled = false;
+- /* Send an MSC with DTR set */
++ /* Send an MSC with RTS set */
+ gsmtty_modem_update(dlci, 0);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
