[17/20] tty: n_gsm: fix reset fifo race condition

Message ID	20220414094225.4527-17-daniel.starke@siemens.com
State	New
Headers	show Return-Path: <linux-serial-owner@kernel.org> From: "D. Starke" <daniel.starke@siemens.com> To: linux-serial@vger.kernel.org, gregkh@linuxfoundation.org, jirislaby@kernel.org Cc: linux-kernel@vger.kernel.org, Daniel Starke <daniel.starke@siemens.com> Subject: [PATCH 17/20] tty: n_gsm: fix reset fifo race condition Date: Thu, 14 Apr 2022 02:42:22 -0700 Message-Id: <20220414094225.4527-17-daniel.starke@siemens.com> In-Reply-To: <20220414094225.4527-1-daniel.starke@siemens.com> References: <20220414094225.4527-1-daniel.starke@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-314044:519-21489:flowmailer Precedence: bulk
Series	[01/20] tty: n_gsm: fix missing mux reset on config change at responder \| expand [01/20] tty: n_gsm: fix missing mux reset on config change at responder [02/20] tty: n_gsm: fix restart handling via CLD command [03/20] tty: n_gsm: fix decoupled mux resource [04/20] tty: n_gsm: fix mux cleanup after unregister tty device [05/20] tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2 [06/20] tty: n_gsm: fix frame reception handling [07/20] tty: n_gsm: fix malformed counter for out of frame data [08/20] tty: n_gsm: fix insufficient txframe size [09/20] tty: n_gsm: fix wrong DLCI release order [10/20] tty: n_gsm: fix missing explicit ldisc flush [11/20] tty: n_gsm: fix wrong command retry handling [12/20] tty: n_gsm: fix wrong command frame length field encoding [13/20] tty: n_gsm: fix wrong signal octets encoding in MSC [14/20] tty: n_gsm: fix missing tty wakeup in convergence layer type 2 [15/20] tty: n_gsm: fix missing update of modem controls after DLCI open [16/20] tty: n_gsm: fix invalid command/response bit check for UI/UIH frames [17/20] tty: n_gsm: fix reset fifo race condition [18/20] tty: n_gsm: fix implicit CR bit encoding in address field [19/20] tty: n_gsm: fix wrong behavior of gsm_carrier_raised() on debug [20/20] tty: n_gsm: fix incorrect UA handling

Message ID

20220414094225.4527-17-daniel.starke@siemens.com

State

New

Headers

From: "D. Starke" <daniel.starke@siemens.com>
To: linux-serial@vger.kernel.org, gregkh@linuxfoundation.org,
        jirislaby@kernel.org
Cc: linux-kernel@vger.kernel.org,
        Daniel Starke <daniel.starke@siemens.com>
Subject: [PATCH 17/20] tty: n_gsm: fix reset fifo race condition
Date: Thu, 14 Apr 2022 02:42:22 -0700
Message-Id: <20220414094225.4527-17-daniel.starke@siemens.com>
In-Reply-To: <20220414094225.4527-1-daniel.starke@siemens.com>
References: <20220414094225.4527-1-daniel.starke@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-314044:519-21489:flowmailer
Precedence: bulk

Series

[01/20] tty: n_gsm: fix missing mux reset on config change at responder | expand

Commit Message

D. Starke April 14, 2022, 9:42 a.m. UTC

From: Daniel Starke <daniel.starke@siemens.com>

gsmtty_write() and gsm_dlci_data_output() properly guard the fifo access.
However, gsm_dlci_close() and gsmtty_flush_buffer() modifies the fifo but
do not guard this.
Add a guard here to prevent race conditions on parallel writes to the fifo.

Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
---
 drivers/tty/n_gsm.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index f4ec48c0d6d7..1e135a71860f 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -1446,13 +1446,17 @@  static int gsm_control_wait(struct gsm_mux *gsm, struct gsm_control *control)
 
 static void gsm_dlci_close(struct gsm_dlci *dlci)
 {
+	unsigned long flags;
+
 	del_timer(&dlci->t1);
 	if (debug & 8)
 		pr_debug("DLCI %d goes closed.\n", dlci->addr);
 	dlci->state = DLCI_CLOSED;
 	if (dlci->addr != 0) {
 		tty_port_tty_hangup(&dlci->port, false);
+		spin_lock_irqsave(&dlci->lock, flags);
 		kfifo_reset(&dlci->fifo);
+		spin_unlock_irqrestore(&dlci->lock, flags);
 		/* Ensure that gsmtty_open() can return. */
 		tty_port_set_initialized(&dlci->port, 0);
 		wake_up_interruptible(&dlci->port.open_wait);
@@ -3150,13 +3154,17 @@  static unsigned int gsmtty_chars_in_buffer(struct tty_struct *tty)
 static void gsmtty_flush_buffer(struct tty_struct *tty)
 {
 	struct gsm_dlci *dlci = tty->driver_data;
+	unsigned long flags;
+
 	if (dlci->state == DLCI_CLOSED)
 		return;
 	/* Caution needed: If we implement reliable transport classes
 	   then the data being transmitted can't simply be junked once
 	   it has first hit the stack. Until then we can just blow it
 	   away */
+	spin_lock_irqsave(&dlci->lock, flags);
 	kfifo_reset(&dlci->fifo);
+	spin_unlock_irqrestore(&dlci->lock, flags);
 	/* Need to unhook this DLCI from the transmit queue logic */
 }

[17/20] tty: n_gsm: fix reset fifo race condition

Commit Message

Patch