From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Feb 2022 07:59:32 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.9.304~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a4a0d298e9651212192e5c71a7ebd3450f122fe;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	tty-n_gsm-fix-deadlock-in-gsmtty_open.patch
	tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
	tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
	tty-n_gsm-fix-wrong-tty-control-line-for-flow-control.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
index 0a85ab07a21..95bf0b9d657 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -72,3 +72,7 @@ rdma-cma-do-not-change-route.addr.src_addr-outside-state-checks.patch
 thermal-int340x-fix-memory-leak-in-int3400_notify.patch
 riscv-fix-oops-caused-by-irqsoff-latency-tracer.patch
 tty-n_gsm-fix-encoding-of-control-signal-octet-bit-dv.patch
+tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
+tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
+tty-n_gsm-fix-wrong-tty-control-line-for-flow-control.patch
+tty-n_gsm-fix-deadlock-in-gsmtty_open.patch
diff --git a/queue-5.10/tty-n_gsm-fix-deadlock-in-gsmtty_open.patch b/queue-5.10/tty-n_gsm-fix-deadlock-in-gsmtty_open.patch
new file mode 100644
index 00000000000..6dcba1260a7
--- /dev/null
+++ b/queue-5.10/tty-n_gsm-fix-deadlock-in-gsmtty_open.patch
@@ -0,0 +1,42 @@
+From a2ab75b8e76e455af7867e3835fd9cdf386b508f Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:23 -0800
+Subject: tty: n_gsm: fix deadlock in gsmtty_open()
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit a2ab75b8e76e455af7867e3835fd9cdf386b508f upstream.
+
+In the current implementation the user may open a virtual tty which then
+could fail to establish the underlying DLCI. The function gsmtty_open()
+gets stuck in tty_port_block_til_ready() while waiting for a carrier rise.
+This happens if the remote side fails to acknowledge the link establishment
+request in time or completely. At some point gsm_dlci_close() is called
+to abort the link establishment attempt. The function tries to inform the
+associated virtual tty by performing a hangup. But the blocking loop within
+tty_port_block_til_ready() is not informed about this event.
+The patch proposed here fixes this by resetting the initialization state of
+the virtual tty to ensure the loop exits and triggering it to make
+tty_port_block_til_ready() return.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-7-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1426,6 +1426,9 @@ static void gsm_dlci_close(struct gsm_dl
+ 	if (dlci->addr != 0) {
+ 		tty_port_tty_hangup(&dlci->port, false);
+ 		kfifo_reset(&dlci->fifo);
++		/* Ensure that gsmtty_open() can return. */
++		tty_port_set_initialized(&dlci->port, 0);
++		wake_up_interruptible(&dlci->port.open_wait);
+ 	} else
+ 		dlci->gsm->dead = true;
+ 	wake_up(&dlci->gsm->event);
diff --git a/queue-5.10/tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch b/queue-5.10/tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
new file mode 100644
index 00000000000..b715cb49549
--- /dev/null
+++ b/queue-5.10/tty-n_gsm-fix-null-pointer-access-due-to-dlci-release.patch
@@ -0,0 +1,45 @@
+From 96b169f05cdcc844b400695184d77e42071d14f2 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:20 -0800
+Subject: tty: n_gsm: fix NULL pointer access due to DLCI release
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit 96b169f05cdcc844b400695184d77e42071d14f2 upstream.
+
+The here fixed commit made the tty hangup asynchronous to avoid a circular
+locking warning. I could not reproduce this warning. Furthermore, due to
+the asynchronous hangup the function call now gets queued up while the
+underlying tty is being freed. Depending on the timing this results in a
+NULL pointer access in the global work queue scheduler. To be precise in
+process_one_work(). Therefore, the previous commit made the issue worse
+which it tried to fix.
+
+This patch fixes this by falling back to the old behavior which uses a
+blocking tty hangup call before freeing up the associated tty.
+
+Fixes: 7030082a7415 ("tty: n_gsm: avoid recursive locking with async port hangup")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-4-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1719,7 +1719,12 @@ static void gsm_dlci_release(struct gsm_
+ 		gsm_destroy_network(dlci);
+ 		mutex_unlock(&dlci->mutex);
+ 
+-		tty_hangup(tty);
++		/* We cannot use tty_hangup() because in tty_kref_put() the tty
++		 * driver assumes that the hangup queue is free and reuses it to
++		 * queue release_one_tty() -> NULL pointer panic in
++		 * process_one_work().
++		 */
++		tty_vhangup(tty);
+ 
+ 		tty_port_tty_set(&dlci->port, NULL);
+ 		tty_kref_put(tty);
diff --git a/queue-5.10/tty-n_gsm-fix-proper-link-termination-after-failed-open.patch b/queue-5.10/tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
new file mode 100644
index 00000000000..9ebe1418b78
--- /dev/null
+++ b/queue-5.10/tty-n_gsm-fix-proper-link-termination-after-failed-open.patch
@@ -0,0 +1,38 @@
+From e3b7468f082d106459e86e8dc6fb9bdd65553433 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:19 -0800
+Subject: tty: n_gsm: fix proper link termination after failed open
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit e3b7468f082d106459e86e8dc6fb9bdd65553433 upstream.
+
+Trying to open a DLCI by sending a SABM frame may fail with a timeout.
+The link is closed on the initiator side without informing the responder
+about this event. The responder assumes the link is open after sending a
+UA frame to answer the SABM frame. The link gets stuck in a half open
+state.
+
+This patch fixes this by initiating the proper link termination procedure
+after link setup timeout instead of silently closing it down.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-3-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -1485,7 +1485,7 @@ static void gsm_dlci_t1(struct timer_lis
+ 			dlci->mode = DLCI_MODE_ADM;
+ 			gsm_dlci_open(dlci);
+ 		} else {
+-			gsm_dlci_close(dlci);
++			gsm_dlci_begin_close(dlci); /* prevent half open link */
+ 		}
+ 
+ 		break;
diff --git a/queue-5.10/tty-n_gsm-fix-wrong-tty-control-line-for-flow-control.patch b/queue-5.10/tty-n_gsm-fix-wrong-tty-control-line-for-flow-control.patch
new file mode 100644
index 00000000000..eab72ff7ec9
--- /dev/null
+++ b/queue-5.10/tty-n_gsm-fix-wrong-tty-control-line-for-flow-control.patch
@@ -0,0 +1,51 @@
+From c19d93542a6081577e6da9bf5e887979c72e80c1 Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:21 -0800
+Subject: tty: n_gsm: fix wrong tty control line for flow control
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit c19d93542a6081577e6da9bf5e887979c72e80c1 upstream.
+
+tty flow control is handled via gsmtty_throttle() and gsmtty_unthrottle().
+Both functions propagate the outgoing hardware flow control state to the
+remote side via MSC (modem status command) frames. The local state is taken
+from the RTS (ready to send) flag of the tty. However, RTS gets mapped to
+DTR (data terminal ready), which is wrong.
+This patch corrects this by mapping RTS to RTS.
+
+Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-5-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -3178,9 +3178,9 @@ static void gsmtty_throttle(struct tty_s
+ 	if (dlci->state == DLCI_CLOSED)
+ 		return;
+ 	if (C_CRTSCTS(tty))
+-		dlci->modem_tx &= ~TIOCM_DTR;
++		dlci->modem_tx &= ~TIOCM_RTS;
+ 	dlci->throttled = true;
+-	/* Send an MSC with DTR cleared */
++	/* Send an MSC with RTS cleared */
+ 	gsmtty_modem_update(dlci, 0);
+ }
+ 
+@@ -3190,9 +3190,9 @@ static void gsmtty_unthrottle(struct tty
+ 	if (dlci->state == DLCI_CLOSED)
+ 		return;
+ 	if (C_CRTSCTS(tty))
+-		dlci->modem_tx |= TIOCM_DTR;
++		dlci->modem_tx |= TIOCM_RTS;
+ 	dlci->throttled = false;
+-	/* Send an MSC with DTR set */
++	/* Send an MSC with RTS set */
+ 	gsmtty_modem_update(dlci, 0);
+ }
+