From: <gregkh@linuxfoundation.org>
To: penguin-kernel@I-love.SAKURA.ne.jp, gregkh@linuxfoundation.org,
jirislaby@kernel.org, stable@kernel.org,
syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Subject: FAILED: patch "[PATCH] tty: n_gsm: initialize more members at gsm_alloc_mux()" failed to apply to 5.15-stable tree
Date: Tue, 06 Sep 2022 13:54:10 +0200 [thread overview]
Message-ID: <16624652505201@kroah.com> (raw)
The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
Possible dependencies:
4bb1a53be85f ("tty: n_gsm: initialize more members at gsm_alloc_mux()")
734966043860 ("tty: n_gsm: fix resource allocation order in gsm_activate_mux()")
0af021678d5d ("tty: n_gsm: fix deadlock and link starvation in outgoing data path")
bec0224816d1 ("tty: n_gsm: fix non flow control frames during mux flow off")
c568f7086c6e ("tty: n_gsm: fix missing timer to handle stalled links")
556fc8ac0651 ("tty: n_gsm: fix wrong queuing behavior in gsm_dlci_data_output()")
01aecd917114 ("tty: n_gsm: fix tty registration before control channel open")
925ea0fa5277 ("tty: n_gsm: Fix packet data hex dump output")
f4f7d6328721 ("tty: n_gsm: fix software flow control handling")
c19ffe00fed6 ("tty: n_gsm: fix invalid use of MSC in advanced option")
a8c5b8255f8a ("tty: n_gsm: fix broken virtual tty handling")
48473802506d ("tty: n_gsm: fix missing update of modem controls after DLCI open")
73029a4d7161 ("tty: n_gsm: fix reset fifo race condition")
398867f59f95 ("tty: n_gsm: fix wrong command frame length field encoding")
17eac6520285 ("tty: n_gsm: fix missing explicit ldisc flush")
deefc58bafb4 ("tty: n_gsm: fix wrong DLCI release order")
7a0e4b1733b6 ("tty: n_gsm: fix frame reception handling")
06d5afd4d640 ("tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2")
284260f278b7 ("tty: n_gsm: fix mux cleanup after unregister tty device")
1ec92e974277 ("tty: n_gsm: fix decoupled mux resource")
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 4bb1a53be85fcb1e24c14860e326a00cdd362c28 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Sat, 27 Aug 2022 22:47:19 +0900
Subject: [PATCH] tty: n_gsm: initialize more members at gsm_alloc_mux()
syzbot is reporting use of uninitialized spinlock at gsmld_write() [1], for
commit 32dd59f96924f45e ("tty: n_gsm: fix race condition in gsmld_write()")
allows accessing gsm->tx_lock before gsm_activate_mux() initializes it.
Since object initialization should be done right after allocation in order
to avoid accessing uninitialized memory, move initialization of
timer/work/waitqueue/spinlock from gsmld_open()/gsm_activate_mux() to
gsm_alloc_mux().
Link: https://syzkaller.appspot.com/bug?extid=cf155def4e717db68a12 [1]
Fixes: 32dd59f96924f45e ("tty: n_gsm: fix race condition in gsmld_write()")
Reported-by: syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com>
Tested-by: syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com>
Cc: stable <stable@kernel.org>
Acked-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/r/2110618e-57f0-c1ce-b2ad-b6cacef3f60e@I-love.SAKURA.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 38688cb16c20..d6598ca3640f 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -2501,13 +2501,6 @@ static int gsm_activate_mux(struct gsm_mux *gsm)
if (dlci == NULL)
return -ENOMEM;
- timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
- timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
- INIT_WORK(&gsm->tx_work, gsmld_write_task);
- init_waitqueue_head(&gsm->event);
- spin_lock_init(&gsm->control_lock);
- spin_lock_init(&gsm->tx_lock);
-
if (gsm->encoding == 0)
gsm->receive = gsm0_receive;
else
@@ -2612,6 +2605,12 @@ static struct gsm_mux *gsm_alloc_mux(void)
kref_init(&gsm->ref);
INIT_LIST_HEAD(&gsm->tx_ctrl_list);
INIT_LIST_HEAD(&gsm->tx_data_list);
+ timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
+ timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
+ INIT_WORK(&gsm->tx_work, gsmld_write_task);
+ init_waitqueue_head(&gsm->event);
+ spin_lock_init(&gsm->control_lock);
+ spin_lock_init(&gsm->tx_lock);
gsm->t1 = T1;
gsm->t2 = T2;
@@ -2947,10 +2946,6 @@ static int gsmld_open(struct tty_struct *tty)
gsmld_attach_gsm(tty, gsm);
- timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
- timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
- INIT_WORK(&gsm->tx_work, gsmld_write_task);
-
return 0;
}
reply other threads:[~2022-09-06 11:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16624652505201@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.