Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4621500iob;
        Sun, 8 May 2022 19:32:19 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwPphPYydGw6NrwCJAYFw7Oss+iracZ4B/HHEyK5aWldZzR6CSG/5oFqOjtaMDi9C8DhxGp
X-Received: by 2002:a17:90b:78b:b0:1d9:6cd6:3f4c with SMTP id l11-20020a17090b078b00b001d96cd63f4cmr23805937pjz.240.1652063538672;
        Sun, 08 May 2022 19:32:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652063538; cv=none;
        d=google.com; s=arc-20160816;
        b=B8L7fZkHq7Sri1NSEou1ryQt90dow2JDrmXFUqGoIbEYBt3HwzYdwJ2KzDwx7kOHqA
         a3dDop6sDkIU2Xy6SA3U+zZJElC+T/awK2m+zlrJby6QJMeAOZPhC/TRoB+Kfc9SyZRm
         CalLRNJG5ZAxrDTGBO7o26JprudKARPkuhr8gKIjZ7NN94VkCr4B7vlgV8VaMrcWcqxy
         Tf/e9p+i6Iui0+kTicL6CzhS8Yzq6c53/U6SISXFnqxkiZfw3ZNDYeTZQDAcYfQ7S5Uv
         nF+CgbV+nEhBRYlq1sqGmj5IbaIj+68nkbr3LovK5z0r8hnDXrDoZYZ/WvULpPBRRVO6
         GFNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=4M0laFKsXJ8QS13C/RV5uI1XVPNGJvonleHPdw7VOQU=;
        b=qugeFghHTvCE2/w1eji0Y6qwfh1tZuBmXMHHB3jjVWHDfgsvEjtC1rTHEkA6Q1o7Gn
         I2/beATbRhXzp24xRjPaDqkg/18Ia6FazTQR1/16BQo0LmHPYt6j/tgiyViVnNk3Pibu
         cQjmVsOP5uFMYteVb0MmAz/BLWPM5ihHIiJuFPbC3qBftiw/Scdxjb8aEykqLhful7tx
         MpfMUiqI2tQJA2ytNKkSf389inJ3HgkX6cZ20G3nYDfIQS3ZL08D7Z3piHF5SW+7RlsC
         pD6gVvfDu0Dx1+VDZWBPnTut5ajXU97AgmrvLpwI/TmSTjYSgFGIcRJTl+8hYxHOh6E4
         89Ig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ExOx4PC8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id h7-20020a170902f70700b00153b2d165ecsi10192040plo.500.2022.05.08.19.32.18
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 08 May 2022 19:32:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ExOx4PC8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0FE916D3A3;
	Sun,  8 May 2022 19:31:03 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1354366AbiEDQ5v (ORCPT <rfc822;anothersharkwizard@gmail.com>
        + 99 others); Wed, 4 May 2022 12:57:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51880 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1349590AbiEDQyY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 May 2022 12:54:24 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7531A4968D;
        Wed,  4 May 2022 09:49:36 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 146896174C;
        Wed,  4 May 2022 16:49:36 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 653FCC385A4;
        Wed,  4 May 2022 16:49:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1651682975;
        bh=L1Ds1EUngD0M7E8EcZPz2evcTmB11XeoOhit7RNR7g8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ExOx4PC8GMGJev/cSHaKz283lrrtBp6k/9H7Wcssu5qWqP94MMaAz3aFm5V6kyOHN
         W2EFKHXmkHgbf2FWBopCNsrjsE7M4SgvVE7GFR38s0ZnehJUzbZytD7pvHrpY9KUiq
         Mq37SPCGjMw0ZZPfRDS2Y9M2TNCSL3yNX0M+chGs=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Daniel Starke <daniel.starke@siemens.com>
Subject: [PATCH 5.4 78/84] tty: n_gsm: fix insufficient txframe size
Date:   Wed,  4 May 2022 18:44:59 +0200
Message-Id: <20220504152933.672339990@linuxfoundation.org>
X-Mailer: git-send-email 2.36.0
In-Reply-To: <20220504152927.744120418@linuxfoundation.org>
References: <20220504152927.744120418@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Daniel Starke <daniel.starke@siemens.com>

commit 535bf600de75a859698892ee873521a48d289ec1 upstream.

n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010.
See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516
The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to
the newer 27.010 here. Chapter 5.7.2 states that the maximum frame size
(N1) refers to the length of the information field (i.e. user payload).
However, 'txframe' stores the whole frame including frame header, checksum
and start/end flags. We also need to consider the byte stuffing overhead.
Define constant for the protocol overhead and adjust the 'txframe' size
calculation accordingly to reserve enough space for a complete mux frame
including byte stuffing for advanced option mode. Note that no byte
stuffing is applied to the start and end flag.
Also use MAX_MTU instead of MAX_MRU as this buffer is used for data
transmission.

Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
Link: https://lore.kernel.org/r/20220414094225.4527-8-daniel.starke@siemens.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/n_gsm.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -72,6 +72,8 @@ module_param(debug, int, 0600);
  */
 #define MAX_MRU 1500
 #define MAX_MTU 1500
+/* SOF, ADDR, CTRL, LEN1, LEN2, ..., FCS, EOF */
+#define PROT_OVERHEAD 7
 #define	GSM_NET_TX_TIMEOUT (HZ*10)
 
 /**
@@ -2209,7 +2211,7 @@ static struct gsm_mux *gsm_alloc_mux(voi
 		kfree(gsm);
 		return NULL;
 	}
-	gsm->txframe = kmalloc(2 * MAX_MRU + 2, GFP_KERNEL);
+	gsm->txframe = kmalloc(2 * (MAX_MTU + PROT_OVERHEAD - 1), GFP_KERNEL);
 	if (gsm->txframe == NULL) {
 		kfree(gsm->buf);
 		kfree(gsm);