From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Feb 2022 07:59:30 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.9.304~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7153e2d183819a53322b9b79a0dec99683f13492;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
	tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
---

diff --git a/queue-5.4/series b/queue-5.4/series
index 66fcf3403f4..fd3ad96c085 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -45,3 +45,5 @@ usb-dwc3-gadget-let-the-interrupt-handler-disable-bottom-halves.patch
 xhci-re-initialize-the-hc-during-resume-if-hce-was-set.patch
 xhci-prevent-futile-urb-re-submissions-due-to-incorrect-return-value.patch
 tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch
+tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
+tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
diff --git a/queue-5.4/tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch b/queue-5.4/tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
new file mode 100644
index 00000000000..6c8729222cf
--- /dev/null
+++ b/queue-5.4/tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
@@ -0,0 +1,45 @@
+From 96b169f05cdcc844b400695184d77e42071d14f2 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:20 -0800
+Subject: tty: n_gsm: fix NULL pointer access due to DLCI release
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit 96b169f05cdcc844b400695184d77e42071d14f2 upstream.
+
+The here fixed commit made the tty hangup asynchronous to avoid a circular
+locking warning. I could not reproduce this warning. Furthermore, due to
+the asynchronous hangup the function call now gets queued up while the
+underlying tty is being freed. Depending on the timing this results in a
+NULL pointer access in the global work queue scheduler. To be precise in
+process_one_work(). Therefore, the previous commit made the issue worse
+which it tried to fix.
+
+This patch fixes this by falling back to the old behavior which uses a
+blocking tty hangup call before freeing up the associated tty.
+
+Fixes: 7030082a7415 ("tty: n_gsm: avoid recursive locking with async port hangup")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-4-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1722,7 +1722,12 @@ static void gsm_dlci_release(struct gsm_
+ 		gsm_destroy_network(dlci);
+ 		mutex_unlock(&dlci->mutex);
+ 
+-		tty_hangup(tty);
++		/* We cannot use tty_hangup() because in tty_kref_put() the tty
++		 * driver assumes that the hangup queue is free and reuses it to
++		 * queue release_one_tty() -> NULL pointer panic in
++		 * process_one_work().
++		 */
++		tty_vhangup(tty);
+ 
+ 		tty_port_tty_set(&dlci->port, NULL);
+ 		tty_kref_put(tty);
diff --git a/queue-5.4/tty-n_gsm-fix-proper-link-termination-after-failed-open.patch b/queue-5.4/tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
new file mode 100644
index 00000000000..5e1c3e1b370
--- /dev/null
+++ b/queue-5.4/tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
@@ -0,0 +1,38 @@
+From e3b7468f082d106459e86e8dc6fb9bdd65553433 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:19 -0800
+Subject: tty: n_gsm: fix proper link termination after failed open
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit e3b7468f082d106459e86e8dc6fb9bdd65553433 upstream.
+
+Trying to open a DLCI by sending a SABM frame may fail with a timeout.
+The link is closed on the initiator side without informing the responder
+about this event. The responder assumes the link is open after sending a
+UA frame to answer the SABM frame. The link gets stuck in a half open
+state.
+
+This patch fixes this by initiating the proper link termination procedure
+after link setup timeout instead of silently closing it down.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-3-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1490,7 +1490,7 @@ static void gsm_dlci_t1(struct timer_lis
+ 			dlci->mode = DLCI_MODE_ADM;
+ 			gsm_dlci_open(dlci);
+ 		} else {
+-			gsm_dlci_close(dlci);
++			gsm_dlci_begin_close(dlci); /* prevent half open link */
+ 		}
+ 
+ 		break;