From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 May 2022 13:42:17 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.4.192~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3bb98961d0ead97400c72c7b368c6119708edc03;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	tty-n_gsm-fix-incorrect-ua-handling.patch
	tty-n_gsm-fix-insufficient-txframe-size.patch
	tty-n_gsm-fix-missing-explicit-ldisc-flush.patch
	tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch
	tty-n_gsm-fix-wrong-command-retry-handling.patch
---

diff --git a/queue-4.9/series b/queue-4.9/series
index 5c45a97f1d0..a88c89eaf29 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -36,3 +36,8 @@ drivers-net-hippi-fix-deadlock-in-rr_close.patch
 x86-cpu-load-microcode-during-restore_processor_state.patch
 tty-n_gsm-fix-wrong-signal-octet-encoding-in-convergence-layer-type-2.patch
 tty-n_gsm-fix-malformed-counter-for-out-of-frame-data.patch
+tty-n_gsm-fix-insufficient-txframe-size.patch
+tty-n_gsm-fix-missing-explicit-ldisc-flush.patch
+tty-n_gsm-fix-wrong-command-retry-handling.patch
+tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch
+tty-n_gsm-fix-incorrect-ua-handling.patch
diff --git a/queue-4.9/tty-n_gsm-fix-incorrect-ua-handling.patch b/queue-4.9/tty-n_gsm-fix-incorrect-ua-handling.patch
new file mode 100644
index 00000000000..5ca6d86c89c
--- /dev/null
+++ b/queue-4.9/tty-n_gsm-fix-incorrect-ua-handling.patch
@@ -0,0 +1,38 @@
+From ff9166c623704337bd6fe66fce2838d9768a6634 Mon Sep 17 00:00:00 2001
+From: Daniel Starke <daniel.starke@siemens.com>
+Date: Thu, 14 Apr 2022 02:42:25 -0700
+Subject: tty: n_gsm: fix incorrect UA handling
+
+From: Daniel Starke <daniel.starke@siemens.com>
+
+commit ff9166c623704337bd6fe66fce2838d9768a6634 upstream.
+
+n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010.
+See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516
+The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to
+the newer 27.010 here. Chapter 5.4.4.2 states that any received unnumbered
+acknowledgment (UA) with its poll/final (PF) bit set to 0 shall be
+discarded. Currently, all UA frame are handled in the same way regardless
+of the PF bit. This does not comply with the standard.
+Remove the UA case in gsm_queue() to process only UA frames with PF bit set
+to 1 to abide the standard.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220414094225.4527-20-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1829,7 +1829,6 @@ static void gsm_queue(struct gsm_mux *gs
+ 		gsm_response(gsm, address, UA);
+ 		gsm_dlci_close(dlci);
+ 		break;
+-	case UA:
+ 	case UA|PF:
+ 		if (cr == 0 || dlci == NULL)
+ 			break;
diff --git a/queue-4.9/tty-n_gsm-fix-insufficient-txframe-size.patch b/queue-4.9/tty-n_gsm-fix-insufficient-txframe-size.patch
new file mode 100644
index 00000000000..ccf37c4a854
--- /dev/null
+++ b/queue-4.9/tty-n_gsm-fix-insufficient-txframe-size.patch
@@ -0,0 +1,52 @@
+From 535bf600de75a859698892ee873521a48d289ec1 Mon Sep 17 00:00:00 2001
+From: Daniel Starke <daniel.starke@siemens.com>
+Date: Thu, 14 Apr 2022 02:42:13 -0700
+Subject: tty: n_gsm: fix insufficient txframe size
+
+From: Daniel Starke <daniel.starke@siemens.com>
+
+commit 535bf600de75a859698892ee873521a48d289ec1 upstream.
+
+n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010.
+See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516
+The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to
+the newer 27.010 here. Chapter 5.7.2 states that the maximum frame size
+(N1) refers to the length of the information field (i.e. user payload).
+However, 'txframe' stores the whole frame including frame header, checksum
+and start/end flags. We also need to consider the byte stuffing overhead.
+Define constant for the protocol overhead and adjust the 'txframe' size
+calculation accordingly to reserve enough space for a complete mux frame
+including byte stuffing for advanced option mode. Note that no byte
+stuffing is applied to the start and end flag.
+Also use MAX_MTU instead of MAX_MRU as this buffer is used for data
+transmission.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220414094225.4527-8-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -84,6 +84,8 @@ module_param(debug, int, 0600);
+  */
+ #define MAX_MRU 1500
+ #define MAX_MTU 1500
++/* SOF, ADDR, CTRL, LEN1, LEN2, ..., FCS, EOF */
++#define PROT_OVERHEAD 7
+ #define	GSM_NET_TX_TIMEOUT (HZ*10)
+ 
+ /**
+@@ -2199,7 +2201,7 @@ static struct gsm_mux *gsm_alloc_mux(voi
+ 		kfree(gsm);
+ 		return NULL;
+ 	}
+-	gsm->txframe = kmalloc(2 * MAX_MRU + 2, GFP_KERNEL);
++	gsm->txframe = kmalloc(2 * (MAX_MTU + PROT_OVERHEAD - 1), GFP_KERNEL);
+ 	if (gsm->txframe == NULL) {
+ 		kfree(gsm->buf);
+ 		kfree(gsm);
diff --git a/queue-4.9/tty-n_gsm-fix-missing-explicit-ldisc-flush.patch b/queue-4.9/tty-n_gsm-fix-missing-explicit-ldisc-flush.patch
new file mode 100644
index 00000000000..4a05527a18e
--- /dev/null
+++ b/queue-4.9/tty-n_gsm-fix-missing-explicit-ldisc-flush.patch
@@ -0,0 +1,35 @@
+From 17eac652028501df7ea296b1d9b9c134db262b7d Mon Sep 17 00:00:00 2001
+From: Daniel Starke <daniel.starke@siemens.com>
+Date: Thu, 14 Apr 2022 02:42:15 -0700
+Subject: tty: n_gsm: fix missing explicit ldisc flush
+
+From: Daniel Starke <daniel.starke@siemens.com>
+
+commit 17eac652028501df7ea296b1d9b9c134db262b7d upstream.
+
+In gsm_cleanup_mux() the muxer is closed down and all queues are removed.
+However, removing the queues is done without explicit control of the
+underlying buffers. Flush those before freeing up our queues to ensure
+that all outgoing queues are cleared consistently. Otherwise, a new mux
+connection establishment attempt may time out while the underlying tty is
+still busy sending out the remaining data from the previous connection.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220414094225.4527-10-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -2101,6 +2101,7 @@ static void gsm_cleanup_mux(struct gsm_m
+ 			gsm_dlci_release(gsm->dlci[i]);
+ 	mutex_unlock(&gsm->mutex);
+ 	/* Now wipe the queues */
++	tty_ldisc_flush(gsm->tty);
+ 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list)
+ 		kfree(txq);
+ 	INIT_LIST_HEAD(&gsm->tx_list);
diff --git a/queue-4.9/tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch b/queue-4.9/tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch
new file mode 100644
index 00000000000..1aaa07a8292
--- /dev/null
+++ b/queue-4.9/tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch
@@ -0,0 +1,76 @@
+From 398867f59f956985f4c324f173eff7b946e14bd8 Mon Sep 17 00:00:00 2001
+From: Daniel Starke <daniel.starke@siemens.com>
+Date: Thu, 14 Apr 2022 02:42:17 -0700
+Subject: tty: n_gsm: fix wrong command frame length field encoding
+
+From: Daniel Starke <daniel.starke@siemens.com>
+
+commit 398867f59f956985f4c324f173eff7b946e14bd8 upstream.
+
+n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010.
+See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516
+The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to
+the newer 27.010 here. Chapter 5.4.6.1 states that each command frame shall
+be made up from type, length and value. Looking for example in chapter
+5.4.6.3.5 at the description for the encoding of a flow control on command
+it becomes obvious, that the type and length field is always present
+whereas the value may be zero bytes long. The current implementation omits
+the length field if the value is not present. This is wrong.
+Correct this by always sending the length in gsm_control_transmit().
+So far only the modem status command (MSC) has included a value and encoded
+its length directly. Therefore, also change gsmtty_modem_update().
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220414094225.4527-12-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |   23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1318,11 +1318,12 @@ static void gsm_control_response(struct
+ 
+ static void gsm_control_transmit(struct gsm_mux *gsm, struct gsm_control *ctrl)
+ {
+-	struct gsm_msg *msg = gsm_data_alloc(gsm, 0, ctrl->len + 1, gsm->ftype);
++	struct gsm_msg *msg = gsm_data_alloc(gsm, 0, ctrl->len + 2, gsm->ftype);
+ 	if (msg == NULL)
+ 		return;
+-	msg->data[0] = (ctrl->cmd << 1) | 2 | EA;	/* command */
+-	memcpy(msg->data + 1, ctrl->data, ctrl->len);
++	msg->data[0] = (ctrl->cmd << 1) | CR | EA;	/* command */
++	msg->data[1] = (ctrl->len << 1) | EA;
++	memcpy(msg->data + 2, ctrl->data, ctrl->len);
+ 	gsm_data_queue(gsm->dlci[0], msg);
+ }
+ 
+@@ -2864,19 +2865,17 @@ static struct tty_ldisc_ops tty_ldisc_pa
+ 
+ static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk)
+ {
+-	u8 modembits[5];
++	u8 modembits[3];
+ 	struct gsm_control *ctrl;
+ 	int len = 2;
+ 
+-	if (brk)
++	modembits[0] = (dlci->addr << 2) | 2 | EA;  /* DLCI, Valid, EA */
++	modembits[1] = (gsm_encode_modem(dlci) << 1) | EA;
++	if (brk) {
++		modembits[2] = (brk << 4) | 2 | EA; /* Length, Break, EA */
+ 		len++;
+-
+-	modembits[0] = len << 1 | EA;		/* Data bytes */
+-	modembits[1] = dlci->addr << 2 | 3;	/* DLCI, EA, 1 */
+-	modembits[2] = gsm_encode_modem(dlci) << 1 | EA;
+-	if (brk)
+-		modembits[3] = brk << 4 | 2 | EA;	/* Valid, EA */
+-	ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len + 1);
++	}
++	ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len);
+ 	if (ctrl == NULL)
+ 		return -ENOMEM;
+ 	return gsm_control_wait(dlci->gsm, ctrl);
diff --git a/queue-4.9/tty-n_gsm-fix-wrong-command-retry-handling.patch b/queue-4.9/tty-n_gsm-fix-wrong-command-retry-handling.patch
new file mode 100644
index 00000000000..da5285f0085
--- /dev/null
+++ b/queue-4.9/tty-n_gsm-fix-wrong-command-retry-handling.patch
@@ -0,0 +1,66 @@
+From d0bcdffcad5a22f202e3bf37190c0dd8c080ea92 Mon Sep 17 00:00:00 2001
+From: Daniel Starke <daniel.starke@siemens.com>
+Date: Thu, 14 Apr 2022 02:42:16 -0700
+Subject: tty: n_gsm: fix wrong command retry handling
+
+From: Daniel Starke <daniel.starke@siemens.com>
+
+commit d0bcdffcad5a22f202e3bf37190c0dd8c080ea92 upstream.
+
+n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010.
+See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516
+The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to
+the newer 27.010 here. Chapter 5.7.3 states that the valid range for the
+maximum number of retransmissions (N2) is from 0 to 255 (both including).
+gsm_config() fails to limit this range correctly. Furthermore,
+gsm_control_retransmit() handles this number incorrectly by performing
+N2 - 1 retransmission attempts. Setting N2 to zero results in more than 255
+retransmission attempts.
+Fix the range check in gsm_config() and the value handling in
+gsm_control_send() and gsm_control_retransmit() to comply with 3GPP 27.010.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220414094225.4527-11-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1345,7 +1345,6 @@ static void gsm_control_retransmit(unsig
+ 	spin_lock_irqsave(&gsm->control_lock, flags);
+ 	ctrl = gsm->pending_cmd;
+ 	if (ctrl) {
+-		gsm->cretries--;
+ 		if (gsm->cretries == 0) {
+ 			gsm->pending_cmd = NULL;
+ 			ctrl->error = -ETIMEDOUT;
+@@ -1354,6 +1353,7 @@ static void gsm_control_retransmit(unsig
+ 			wake_up(&gsm->event);
+ 			return;
+ 		}
++		gsm->cretries--;
+ 		gsm_control_transmit(gsm, ctrl);
+ 		mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
+ 	}
+@@ -1394,7 +1394,7 @@ retry:
+ 
+ 	/* If DLCI0 is in ADM mode skip retries, it won't respond */
+ 	if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
+-		gsm->cretries = 1;
++		gsm->cretries = 0;
+ 	else
+ 		gsm->cretries = gsm->n2;
+ 
+@@ -2519,7 +2519,7 @@ static int gsmld_config(struct tty_struc
+ 	/* Check the MRU/MTU range looks sane */
+ 	if (c->mru > MAX_MRU || c->mtu > MAX_MTU || c->mru < 8 || c->mtu < 8)
+ 		return -EINVAL;
+-	if (c->n2 < 3)
++	if (c->n2 > 255)
+ 		return -EINVAL;
+ 	if (c->encapsulation > 1)	/* Basic, advanced, no I */
+ 		return -EINVAL;