tty: n_gsm: fix reset fifo race condition
authorDaniel Starke <daniel.starke@siemens.com>
Thu, 14 Apr 2022 09:42:22 +0000 (02:42 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 9 May 2022 07:14:44 +0000 (09:14 +0200)
commit 73029a4d7161f8b6c0934553145ef574d2d0c645 upstream.

gsmtty_write() and gsm_dlci_data_output() properly guard the fifo access.
However, gsm_dlci_close() and gsmtty_flush_buffer() modifies the fifo but
do not guard this.
Add a guard here to prevent race conditions on parallel writes to the fifo.

Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
Link: https://lore.kernel.org/r/20220414094225.4527-17-daniel.starke@siemens.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/tty/n_gsm.c

index 0985009..6f0b155 100644 (file)
@@ -1417,13 +1417,17 @@ static int gsm_control_wait(struct gsm_mux *gsm, struct gsm_control *control)
 
 static void gsm_dlci_close(struct gsm_dlci *dlci)
 {
+       unsigned long flags;
+
        del_timer(&dlci->t1);
        if (debug & 8)
                pr_debug("DLCI %d goes closed.\n", dlci->addr);
        dlci->state = DLCI_CLOSED;
        if (dlci->addr != 0) {
                tty_port_tty_hangup(&dlci->port, false);
+               spin_lock_irqsave(&dlci->lock, flags);
                kfifo_reset(&dlci->fifo);
+               spin_unlock_irqrestore(&dlci->lock, flags);
                /* Ensure that gsmtty_open() can return. */
                tty_port_set_initialized(&dlci->port, 0);
                wake_up_interruptible(&dlci->port.open_wait);
@@ -3078,13 +3082,17 @@ static unsigned int gsmtty_chars_in_buffer(struct tty_struct *tty)
 static void gsmtty_flush_buffer(struct tty_struct *tty)
 {
        struct gsm_dlci *dlci = tty->driver_data;
+       unsigned long flags;
+
        if (dlci->state == DLCI_CLOSED)
                return;
        /* Caution needed: If we implement reliable transport classes
           then the data being transmitted can't simply be junked once
           it has first hit the stack. Until then we can just blow it
           away */
+       spin_lock_irqsave(&dlci->lock, flags);
        kfifo_reset(&dlci->fifo);
+       spin_unlock_irqrestore(&dlci->lock, flags);
        /* Need to unhook this DLCI from the transmit queue logic */
 }