From: daniel.starke@siemens.com
To: linux-serial@vger.kernel.org, gregkh@linuxfoundation.org,
jirislaby@kernel.org
Cc: linux-kernel@vger.kernel.org, Daniel Starke <daniel.starke@siemens.com>
Subject: [PATCH 4/7] tty: n_gsm: fix NULL pointer access due to DLCI release
Date: Thu, 17 Feb 2022 23:31:20 -0800 [thread overview]
Message-ID: <20220218073123.2121-4-daniel.starke@siemens.com> (raw)
In-Reply-To: <20220218073123.2121-1-daniel.starke@siemens.com>
The here fixed commit made the tty hangup asynchronous to avoid a circular
locking warning. I could not reproduce this warning. Furthermore, due to
the asynchronous hangup the function call now gets queued up while the
underlying tty is being freed. Depending on the timing this results in a
NULL pointer access in the global work queue scheduler. To be precise in
process_one_work(). Therefore, the previous commit made the issue worse
which it tried to fix.
This patch fixes this by falling back to the old behavior which uses a
blocking tty hangup call before freeing up the associated tty.
Fixes: 7030082a7415 ("tty: n_gsm: avoid recursive locking with async port hangup")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
---
drivers/tty/n_gsm.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 0b1808e3a912..e63154ef0b6c 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -1748,7 +1748,12 @@ static void gsm_dlci_release(struct gsm_dlci *dlci)
gsm_destroy_network(dlci);
mutex_unlock(&dlci->mutex);
- tty_hangup(tty);
+ /* We cannot use tty_hangup() because in tty_kref_put() the tty
+ * driver assumes that the hangup queue is free and reuses it to
+ * queue release_one_tty() -> NULL pointer panic in
+ * process_one_work().
+ */
+ tty_vhangup(tty);
tty_port_tty_set(&dlci->port, NULL);
tty_kref_put(tty);
--
2.25.1
next prev parent reply other threads:[~2022-02-18 7:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-18 7:31 [PATCH 1/7] tty: n_gsm: fix encoding of control signal octet bit DV daniel.starke
2022-02-18 7:31 ` [PATCH 2/7] tty: n_gsm: fix encoding of command/response bit daniel.starke
2022-02-18 7:31 ` [PATCH 3/7] tty: n_gsm: fix proper link termination after failed open daniel.starke
2022-02-18 7:31 ` daniel.starke [this message]
2022-02-18 7:31 ` [PATCH 5/7] tty: n_gsm: fix wrong tty control line for flow control daniel.starke
2022-02-18 7:31 ` [PATCH 6/7] tty: n_gsm: fix wrong modem processing in convergence layer type 2 daniel.starke
2022-02-18 7:31 ` [PATCH 7/7] tty: n_gsm: fix deadlock in gsmtty_open() daniel.starke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220218073123.2121-4-daniel.starke@siemens.com \
--to=daniel.starke@siemens.com \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.