!3607 Fix CVE-2023-6546

	gsm->io_error++;

	gsm->io_error++;

}

}

static int gsm_disconnect(struct gsm_mux *gsm)

{

	struct gsm_dlci *dlci = gsm->dlci[0];

	struct gsm_control *gc;

	if (!dlci)

		return 0;

	/* In theory disconnecting DLCI 0 is sufficient but for some

	   modems this is apparently not the case. */

	gc = gsm_control_send(gsm, CMD_CLD, NULL, 0);

	if (gc)

		gsm_control_wait(gsm, gc);

	del_timer_sync(&gsm->t2_timer);

	/* Now we are sure T2 has stopped */

	gsm_dlci_begin_close(dlci);

	wait_event_interruptible(gsm->event,

				dlci->state == DLCI_CLOSED);

	if (signal_pending(current))

		return -EINTR;

	return 0;

}

/**

/**

 *	gsm_cleanup_mux		-	generic GSM protocol cleanup

 *	gsm_cleanup_mux		-	generic GSM protocol cleanup

 *	@gsm: our mux

 *	@gsm: our mux

 *	@disc: disconnect link?

 *

 *

 *	Clean up the bits of the mux which are the same for all framing

 *	Clean up the bits of the mux which are the same for all framing

 *	protocols. Remove the mux from the mux table, stop all the timers

 *	protocols. Remove the mux from the mux table, stop all the timers

 *	and then shut down each device hanging up the channels as we go.

 *	and then shut down each device hanging up the channels as we go.

 */

 */

static void gsm_cleanup_mux(struct gsm_mux *gsm)

static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc)

{

{

	int i;

	int i;

	struct gsm_dlci *dlci = gsm->dlci[0];

	struct gsm_dlci *dlci;

	struct gsm_msg *txq, *ntxq;

	struct gsm_msg *txq, *ntxq;

	gsm->dead = 1;

	gsm->dead = 1;

	mutex_lock(&gsm->mutex);

	dlci = gsm->dlci[0];

	if (dlci) {

		if (disc && dlci->state != DLCI_CLOSED) {

			gsm_dlci_begin_close(dlci);

			wait_event(gsm->event, dlci->state == DLCI_CLOSED);

		}

		dlci->dead = true;

	}

	/* Finish outstanding timers, making sure they are done */

	del_timer_sync(&gsm->t2_timer);

	spin_lock(&gsm_mux_lock);

	spin_lock(&gsm_mux_lock);

	for (i = 0; i < MAX_MUX; i++) {

	for (i = 0; i < MAX_MUX; i++) {

	if (i == MAX_MUX)

	if (i == MAX_MUX)

		return;

		return;

	del_timer_sync(&gsm->t2_timer);

	/* Now we are sure T2 has stopped */

	if (dlci)

		dlci->dead = 1;

	/* Free up any link layer users */

	/* Free up any link layer users */

	mutex_lock(&gsm->mutex);

	for (i = 0; i < NUM_DLCI; i++)

	for (i = 0; i < NUM_DLCI; i++)

		if (gsm->dlci[i])

		if (gsm->dlci[i])

			gsm_dlci_release(gsm->dlci[i]);

			gsm_dlci_release(gsm->dlci[i]);

	WARN_ON(tty != gsm->tty);

	WARN_ON(tty != gsm->tty);

	for (i = 1; i < NUM_DLCI; i++)

	for (i = 1; i < NUM_DLCI; i++)

		tty_unregister_device(gsm_tty_driver, base + i);

		tty_unregister_device(gsm_tty_driver, base + i);

	gsm_cleanup_mux(gsm);

	gsm_cleanup_mux(gsm, false);

	tty_kref_put(gsm->tty);

	tty_kref_put(gsm->tty);

	gsm->tty = NULL;

	gsm->tty = NULL;

}

}

	ret = gsmld_attach_gsm(tty, gsm);

	ret = gsmld_attach_gsm(tty, gsm);

	if (ret != 0) {

	if (ret != 0) {

		gsm_cleanup_mux(gsm);

		gsm_cleanup_mux(gsm, false);

		mux_put(gsm);

		mux_put(gsm);

	}

	}

	return ret;

	return ret;

	/*

	/*

	 *	Close down what is needed, restart and initiate the new

	 *	Close down what is needed, restart and initiate the new

	 *	configuration

	 *	configuration. On the first time there is no DLCI[0]

	 *	and closing or cleaning up is not necessary.

	 */

	 */

	if (need_close || need_restart)

	if (need_close || need_restart) {

		gsm_cleanup_mux(gsm, true);

		int ret;

		ret = gsm_disconnect(gsm);

		if (ret)

			return ret;

	}

	if (need_restart)

		gsm_cleanup_mux(gsm);

	gsm->initiator = c->initiator;

	gsm->initiator = c->initiator;

	gsm->mru = c->mru;

	gsm->mru = c->mru;