Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp1089937pxb; Thu, 17 Feb 2022 23:59:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJx85Iu33AFdDLl0Zy662Qq4LQF4tU67SdNyOa4PUQUeVcCT1nlWvj3fMaLRx50ABprQJlzp X-Received: by 2002:a17:907:920d:b0:6ce:a6fc:1ad8 with SMTP id ka13-20020a170907920d00b006cea6fc1ad8mr5442134ejb.448.1645171198266; Thu, 17 Feb 2022 23:59:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645171198; cv=none; d=google.com; s=arc-20160816; b=X/qsLmLmI4A2PfxqziQ2KsCAzpMYtcnKvmTyQfkAAf38vtR0GbqGWp16DSoutIOHgd AidSv4r7wE7n+vK2lIsYyz6w6lnzknQAN2waI4Vspb4WS349PVaa9PUQHzaq2SrhneUD 9Kn4g2vfuc4clhuloc31jCrF2+a70CC6Gq8cVljiNBk3oAXEKz63dsq3LZ8NHII+TbXj 3YXmmYIqUIHCAw46FJ80UPUFP5pxh/rZwOzLj8rpmQvssyxqq3gfNqSmUrYMeSx1PaHT 1eOtLQmNgsukpw4+A34xfax6DCDY069T2kp9d4+hz2/MbEgu4subpMa9OWytEm630nlX 6tlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:feedback-id:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2QoxEb5jjQqEe5geNwJ+mjwTK4TQqzNR+pyl04R918k=; b=TOBsv+ailk0lYPMl9FPd61X762mNaJrwAuVjzaKyLXb27883NbdjGnbCy8TyPl4pqT V5PWO3I0tCvuM4mfgh9ziutoJDwpHh/CUQKI3rHL0j46X3bU6/7XD4SCGQSn9S9HLMkq Cl1daOFfBrnwW4Wc5kJ/1HDVflFUReKclvjeuHzIhwEhVpJt/BTzfsklnh1G6iXkk3P0 eDzTrrB3EMs7qhgmc2P3P0HKqgKskRcKCrsJAA4vMwXlo7DCSAbneHbX0URt1TDRnrPV qUrwhTQB2a9RYKjBlHhsRahhWOiFKKDX8CPMf3asyXUaT/TkZbH1AQPfewTqMQp/RKNf kIEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=ZeGM0muV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f10si2978273ejl.294.2022.02.17.23.59.34; Thu, 17 Feb 2022 23:59:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=ZeGM0muV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232183AbiBRHdS (ORCPT + 99 others); Fri, 18 Feb 2022 02:33:18 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:39718 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232105AbiBRHcz (ORCPT ); Fri, 18 Feb 2022 02:32:55 -0500 X-Greylist: delayed 64 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 17 Feb 2022 23:32:39 PST Received: from mta-65-225.siemens.flowmailer.net (mta-65-225.siemens.flowmailer.net [185.136.65.225]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C357296929 for ; Thu, 17 Feb 2022 23:32:37 -0800 (PST) Received: by mta-65-225.siemens.flowmailer.net with ESMTPSA id 202202180731280445ec3ecc9d6b97da for ; Fri, 18 Feb 2022 08:31:29 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=daniel.starke@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=2QoxEb5jjQqEe5geNwJ+mjwTK4TQqzNR+pyl04R918k=; b=ZeGM0muVikeLVW3ioAfDZNV2g2Cl5RsaHoqT0WQLRx5dRB8w8z9WrwyEfoi6mLA4tmkRFv MVuAUrAh6AJzR1KgOdLqX9SQ2KBnGMpl70c+uWHsscI1JBW5PY9cFSK6cez1SJ3rGhxo9I3T k8l1NnzzQsphVDTRZXAxMEFjgPUZc=; From: daniel.starke@siemens.com To: linux-serial@vger.kernel.org, gregkh@linuxfoundation.org, jirislaby@kernel.org Cc: linux-kernel@vger.kernel.org, Daniel Starke Subject: [PATCH 4/7] tty: n_gsm: fix NULL pointer access due to DLCI release Date: Thu, 17 Feb 2022 23:31:20 -0800 Message-Id: <20220218073123.2121-4-daniel.starke@siemens.com> In-Reply-To: <20220218073123.2121-1-daniel.starke@siemens.com> References: <20220218073123.2121-1-daniel.starke@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-7517:519-21489:flowmailer X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The here fixed commit made the tty hangup asynchronous to avoid a circular locking warning. I could not reproduce this warning. Furthermore, due to the asynchronous hangup the function call now gets queued up while the underlying tty is being freed. Depending on the timing this results in a NULL pointer access in the global work queue scheduler. To be precise in process_one_work(). Therefore, the previous commit made the issue worse which it tried to fix. This patch fixes this by falling back to the old behavior which uses a blocking tty hangup call before freeing up the associated tty. Fixes: 7030082a7415 ("tty: n_gsm: avoid recursive locking with async port hangup") Cc: stable@vger.kernel.org Signed-off-by: Daniel Starke --- drivers/tty/n_gsm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 0b1808e3a912..e63154ef0b6c 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -1748,7 +1748,12 @@ static void gsm_dlci_release(struct gsm_dlci *dlci) gsm_destroy_network(dlci); mutex_unlock(&dlci->mutex); - tty_hangup(tty); + /* We cannot use tty_hangup() because in tty_kref_put() the tty + * driver assumes that the hangup queue is free and reuses it to + * queue release_one_tty() -> NULL pointer panic in + * process_one_work(). + */ + tty_vhangup(tty); tty_port_tty_set(&dlci->port, NULL); tty_kref_put(tty); -- 2.25.1