From 0955b5154ba3cd82dda011a3c792553cdbe5c8aa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 3 May 2022 15:42:46 +0200 Subject: [PATCH] 4.19-stable patches added patches: tty-n_gsm-fix-incorrect-ua-handling.patch tty-n_gsm-fix-insufficient-txframe-size.patch tty-n_gsm-fix-missing-explicit-ldisc-flush.patch tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch tty-n_gsm-fix-wrong-command-retry-handling.patch --- queue-4.19/series | 5 ++ .../tty-n_gsm-fix-incorrect-ua-handling.patch | 38 ++++++++++ ...-n_gsm-fix-insufficient-txframe-size.patch | 52 +++++++++++++ ...gsm-fix-missing-explicit-ldisc-flush.patch | 35 +++++++++ ...-command-frame-length-field-encoding.patch | 76 +++++++++++++++++++ ...gsm-fix-wrong-command-retry-handling.patch | 66 ++++++++++++++++ 6 files changed, 272 insertions(+) create mode 100644 queue-4.19/tty-n_gsm-fix-incorrect-ua-handling.patch create mode 100644 queue-4.19/tty-n_gsm-fix-insufficient-txframe-size.patch create mode 100644 queue-4.19/tty-n_gsm-fix-missing-explicit-ldisc-flush.patch create mode 100644 queue-4.19/tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch create mode 100644 queue-4.19/tty-n_gsm-fix-wrong-command-retry-handling.patch diff --git a/queue-4.19/series b/queue-4.19/series index 287ba74f6a5..2a4dcddce9f 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -50,3 +50,8 @@ x86-cpu-load-microcode-during-restore_processor_state.patch tty-n_gsm-fix-wrong-signal-octet-encoding-in-convergence-layer-type-2.patch tty-n_gsm-fix-malformed-counter-for-out-of-frame-data.patch netfilter-nft_socket-only-do-sk-lookups-when-indev-is-available.patch +tty-n_gsm-fix-insufficient-txframe-size.patch +tty-n_gsm-fix-missing-explicit-ldisc-flush.patch +tty-n_gsm-fix-wrong-command-retry-handling.patch +tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch +tty-n_gsm-fix-incorrect-ua-handling.patch diff --git a/queue-4.19/tty-n_gsm-fix-incorrect-ua-handling.patch b/queue-4.19/tty-n_gsm-fix-incorrect-ua-handling.patch new file mode 100644 index 00000000000..ee7ac31c4c9 --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-incorrect-ua-handling.patch @@ -0,0 +1,38 @@ +From ff9166c623704337bd6fe66fce2838d9768a6634 Mon Sep 17 00:00:00 2001 +From: Daniel Starke +Date: Thu, 14 Apr 2022 02:42:25 -0700 +Subject: tty: n_gsm: fix incorrect UA handling + +From: Daniel Starke + +commit ff9166c623704337bd6fe66fce2838d9768a6634 upstream. + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.4.4.2 states that any received unnumbered +acknowledgment (UA) with its poll/final (PF) bit set to 0 shall be +discarded. Currently, all UA frame are handled in the same way regardless +of the PF bit. This does not comply with the standard. +Remove the UA case in gsm_queue() to process only UA frames with PF bit set +to 1 to abide the standard. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220414094225.4527-20-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1811,7 +1811,6 @@ static void gsm_queue(struct gsm_mux *gs + gsm_response(gsm, address, UA); + gsm_dlci_close(dlci); + break; +- case UA: + case UA|PF: + if (cr == 0 || dlci == NULL) + break; diff --git a/queue-4.19/tty-n_gsm-fix-insufficient-txframe-size.patch b/queue-4.19/tty-n_gsm-fix-insufficient-txframe-size.patch new file mode 100644 index 00000000000..7857e7013ff --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-insufficient-txframe-size.patch @@ -0,0 +1,52 @@ +From 535bf600de75a859698892ee873521a48d289ec1 Mon Sep 17 00:00:00 2001 +From: Daniel Starke +Date: Thu, 14 Apr 2022 02:42:13 -0700 +Subject: tty: n_gsm: fix insufficient txframe size + +From: Daniel Starke + +commit 535bf600de75a859698892ee873521a48d289ec1 upstream. + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.7.2 states that the maximum frame size +(N1) refers to the length of the information field (i.e. user payload). +However, 'txframe' stores the whole frame including frame header, checksum +and start/end flags. We also need to consider the byte stuffing overhead. +Define constant for the protocol overhead and adjust the 'txframe' size +calculation accordingly to reserve enough space for a complete mux frame +including byte stuffing for advanced option mode. Note that no byte +stuffing is applied to the start and end flag. +Also use MAX_MTU instead of MAX_MRU as this buffer is used for data +transmission. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220414094225.4527-8-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -72,6 +72,8 @@ module_param(debug, int, 0600); + */ + #define MAX_MRU 1500 + #define MAX_MTU 1500 ++/* SOF, ADDR, CTRL, LEN1, LEN2, ..., FCS, EOF */ ++#define PROT_OVERHEAD 7 + #define GSM_NET_TX_TIMEOUT (HZ*10) + + /** +@@ -2197,7 +2199,7 @@ static struct gsm_mux *gsm_alloc_mux(voi + kfree(gsm); + return NULL; + } +- gsm->txframe = kmalloc(2 * MAX_MRU + 2, GFP_KERNEL); ++ gsm->txframe = kmalloc(2 * (MAX_MTU + PROT_OVERHEAD - 1), GFP_KERNEL); + if (gsm->txframe == NULL) { + kfree(gsm->buf); + kfree(gsm); diff --git a/queue-4.19/tty-n_gsm-fix-missing-explicit-ldisc-flush.patch b/queue-4.19/tty-n_gsm-fix-missing-explicit-ldisc-flush.patch new file mode 100644 index 00000000000..b2fd2d62948 --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-missing-explicit-ldisc-flush.patch @@ -0,0 +1,35 @@ +From 17eac652028501df7ea296b1d9b9c134db262b7d Mon Sep 17 00:00:00 2001 +From: Daniel Starke +Date: Thu, 14 Apr 2022 02:42:15 -0700 +Subject: tty: n_gsm: fix missing explicit ldisc flush + +From: Daniel Starke + +commit 17eac652028501df7ea296b1d9b9c134db262b7d upstream. + +In gsm_cleanup_mux() the muxer is closed down and all queues are removed. +However, removing the queues is done without explicit control of the +underlying buffers. Flush those before freeing up our queues to ensure +that all outgoing queues are cleared consistently. Otherwise, a new mux +connection establishment attempt may time out while the underlying tty is +still busy sending out the remaining data from the previous connection. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220414094225.4527-10-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2099,6 +2099,7 @@ static void gsm_cleanup_mux(struct gsm_m + gsm_dlci_release(gsm->dlci[i]); + mutex_unlock(&gsm->mutex); + /* Now wipe the queues */ ++ tty_ldisc_flush(gsm->tty); + list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list) + kfree(txq); + INIT_LIST_HEAD(&gsm->tx_list); diff --git a/queue-4.19/tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch b/queue-4.19/tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch new file mode 100644 index 00000000000..19ae53a407d --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-wrong-command-frame-length-field-encoding.patch @@ -0,0 +1,76 @@ +From 398867f59f956985f4c324f173eff7b946e14bd8 Mon Sep 17 00:00:00 2001 +From: Daniel Starke +Date: Thu, 14 Apr 2022 02:42:17 -0700 +Subject: tty: n_gsm: fix wrong command frame length field encoding + +From: Daniel Starke + +commit 398867f59f956985f4c324f173eff7b946e14bd8 upstream. + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.4.6.1 states that each command frame shall +be made up from type, length and value. Looking for example in chapter +5.4.6.3.5 at the description for the encoding of a flow control on command +it becomes obvious, that the type and length field is always present +whereas the value may be zero bytes long. The current implementation omits +the length field if the value is not present. This is wrong. +Correct this by always sending the length in gsm_control_transmit(). +So far only the modem status command (MSC) has included a value and encoded +its length directly. Therefore, also change gsmtty_modem_update(). + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220414094225.4527-12-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1302,11 +1302,12 @@ static void gsm_control_response(struct + + static void gsm_control_transmit(struct gsm_mux *gsm, struct gsm_control *ctrl) + { +- struct gsm_msg *msg = gsm_data_alloc(gsm, 0, ctrl->len + 1, gsm->ftype); ++ struct gsm_msg *msg = gsm_data_alloc(gsm, 0, ctrl->len + 2, gsm->ftype); + if (msg == NULL) + return; +- msg->data[0] = (ctrl->cmd << 1) | 2 | EA; /* command */ +- memcpy(msg->data + 1, ctrl->data, ctrl->len); ++ msg->data[0] = (ctrl->cmd << 1) | CR | EA; /* command */ ++ msg->data[1] = (ctrl->len << 1) | EA; ++ memcpy(msg->data + 2, ctrl->data, ctrl->len); + gsm_data_queue(gsm->dlci[0], msg); + } + +@@ -2860,19 +2861,17 @@ static struct tty_ldisc_ops tty_ldisc_pa + + static int gsmtty_modem_update(struct gsm_dlci *dlci, u8 brk) + { +- u8 modembits[5]; ++ u8 modembits[3]; + struct gsm_control *ctrl; + int len = 2; + +- if (brk) ++ modembits[0] = (dlci->addr << 2) | 2 | EA; /* DLCI, Valid, EA */ ++ modembits[1] = (gsm_encode_modem(dlci) << 1) | EA; ++ if (brk) { ++ modembits[2] = (brk << 4) | 2 | EA; /* Length, Break, EA */ + len++; +- +- modembits[0] = len << 1 | EA; /* Data bytes */ +- modembits[1] = dlci->addr << 2 | 3; /* DLCI, EA, 1 */ +- modembits[2] = gsm_encode_modem(dlci) << 1 | EA; +- if (brk) +- modembits[3] = brk << 4 | 2 | EA; /* Valid, EA */ +- ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len + 1); ++ } ++ ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len); + if (ctrl == NULL) + return -ENOMEM; + return gsm_control_wait(dlci->gsm, ctrl); diff --git a/queue-4.19/tty-n_gsm-fix-wrong-command-retry-handling.patch b/queue-4.19/tty-n_gsm-fix-wrong-command-retry-handling.patch new file mode 100644 index 00000000000..a47d804dbce --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-wrong-command-retry-handling.patch @@ -0,0 +1,66 @@ +From d0bcdffcad5a22f202e3bf37190c0dd8c080ea92 Mon Sep 17 00:00:00 2001 +From: Daniel Starke +Date: Thu, 14 Apr 2022 02:42:16 -0700 +Subject: tty: n_gsm: fix wrong command retry handling + +From: Daniel Starke + +commit d0bcdffcad5a22f202e3bf37190c0dd8c080ea92 upstream. + +n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. +See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 +The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to +the newer 27.010 here. Chapter 5.7.3 states that the valid range for the +maximum number of retransmissions (N2) is from 0 to 255 (both including). +gsm_config() fails to limit this range correctly. Furthermore, +gsm_control_retransmit() handles this number incorrectly by performing +N2 - 1 retransmission attempts. Setting N2 to zero results in more than 255 +retransmission attempts. +Fix the range check in gsm_config() and the value handling in +gsm_control_send() and gsm_control_retransmit() to comply with 3GPP 27.010. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Starke +Link: https://lore.kernel.org/r/20220414094225.4527-11-daniel.starke@siemens.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1329,7 +1329,6 @@ static void gsm_control_retransmit(struc + spin_lock_irqsave(&gsm->control_lock, flags); + ctrl = gsm->pending_cmd; + if (ctrl) { +- gsm->cretries--; + if (gsm->cretries == 0) { + gsm->pending_cmd = NULL; + ctrl->error = -ETIMEDOUT; +@@ -1338,6 +1337,7 @@ static void gsm_control_retransmit(struc + wake_up(&gsm->event); + return; + } ++ gsm->cretries--; + gsm_control_transmit(gsm, ctrl); + mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100); + } +@@ -1378,7 +1378,7 @@ retry: + + /* If DLCI0 is in ADM mode skip retries, it won't respond */ + if (gsm->dlci[0]->mode == DLCI_MODE_ADM) +- gsm->cretries = 1; ++ gsm->cretries = 0; + else + gsm->cretries = gsm->n2; + +@@ -2517,7 +2517,7 @@ static int gsmld_config(struct tty_struc + /* Check the MRU/MTU range looks sane */ + if (c->mru > MAX_MRU || c->mtu > MAX_MTU || c->mru < 8 || c->mtu < 8) + return -EINVAL; +- if (c->n2 < 3) ++ if (c->n2 > 255) + return -EINVAL; + if (c->encapsulation > 1) /* Basic, advanced, no I */ + return -EINVAL; -- 2.47.3