Commit c9ab053e authored by Fedor Pchelkin's avatar Fedor Pchelkin Committed by Greg Kroah-Hartman
Browse files

tty: n_gsm: replace kicktimer with delayed_work 



A kick_timer timer_list is replaced with kick_timeout delayed_work to be
able to synchronize with mutexes as a prerequisite for the introduction
of tx_mutex.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: c568f708 ("tty: n_gsm: fix missing timer to handle stalled links")
Cc: stable <stable@kernel.org>
Reviewed-by: default avatarJiri Slaby <jirislaby@kernel.org>
Suggested-by: default avatarHillf Danton <hdanton@sina.com>
Signed-off-by: default avatarFedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
Link: https://lore.kernel.org/r/20220829131640.69254-2-pchelkin@ispras.ru


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 4bb1a53b

drivers/tty/n_gsm.c

+8 −8
Original line number Diff line number Diff line
@@ -256,7 +256,7 @@ struct gsm_mux { 
	struct list_head tx_data_list;	/* Pending data packets */



	/* Control messages */

	struct timer_list kick_timer;	/* Kick TX queuing on timeout */

	struct delayed_work kick_timeout;	/* Kick TX queuing on timeout */

	struct timer_list t2_timer;	/* Retransmit timer for commands */

	int cretries;			/* Command retry counter */

	struct gsm_control *pending_cmd;/* Our current pending command */
@@ -1009,7 +1009,7 @@ static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg) 
	gsm->tx_bytes += msg->len;



	gsmld_write_trigger(gsm);

	mod_timer(&gsm->kick_timer, jiffies + 10 * gsm->t1 * HZ / 100);

	schedule_delayed_work(&gsm->kick_timeout, 10 * gsm->t1 * HZ / 100);

}



/**
@@ -1984,16 +1984,16 @@ static void gsm_dlci_command(struct gsm_dlci *dlci, const u8 *data, int len) 
}



/**

 *	gsm_kick_timer	-	transmit if possible

 *	@t: timer contained in our gsm object

 *	gsm_kick_timeout	-	transmit if possible

 *	@work: work contained in our gsm object

 *

 *	Transmit data from DLCIs if the queue is empty. We can't rely on

 *	a tty wakeup except when we filled the pipe so we need to fire off

 *	new data ourselves in other cases.

 */

static void gsm_kick_timer(struct timer_list *t)

static void gsm_kick_timeout(struct work_struct *work)

{

	struct gsm_mux *gsm = from_timer(gsm, t, kick_timer);

	struct gsm_mux *gsm = container_of(work, struct gsm_mux, kick_timeout.work);

	unsigned long flags;

	int sent = 0;
@@ -2458,7 +2458,7 @@ static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc) 
	}



	/* Finish outstanding timers, making sure they are done */

	del_timer_sync(&gsm->kick_timer);

	cancel_delayed_work_sync(&gsm->kick_timeout);

	del_timer_sync(&gsm->t2_timer);



	/* Finish writing to ldisc */
@@ -2605,7 +2605,7 @@ static struct gsm_mux *gsm_alloc_mux(void) 
	kref_init(&gsm->ref);

	INIT_LIST_HEAD(&gsm->tx_ctrl_list);

	INIT_LIST_HEAD(&gsm->tx_data_list);

	timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);

	INIT_DELAYED_WORK(&gsm->kick_timeout, gsm_kick_timeout);

	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);

	INIT_WORK(&gsm->tx_work, gsmld_write_task);

	init_waitqueue_head(&gsm->event);