tty: n_gsm: initialize more members at gsm_alloc_mux()

stable inclusion from stable-v5.10.143 commit fb6cadd2a30fcfd5ec0b3b0207f32ea0630e64b5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0U6 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fb6cadd2a30fcfd5ec0b3b0207f32ea0630e64b5 -------------------------------- commit 4bb1a53b upstream. syzbot is reporting use of uninitialized spinlock at gsmld_write() [1], for commit 32dd59f9 ("tty: n_gsm: fix race condition in gsmld_write()") allows accessing gsm->tx_lock before gsm_activate_mux() initializes it. Since object initialization should be done right after allocation in order to avoid accessing uninitialized memory, move initialization of timer/work/waitqueue/spinlock from gsmld_open()/gsm_activate_mux() to gsm_alloc_mux(). Link: https://syzkaller.appspot.com/bug?extid=cf155def4e717db68a12 [1] Fixes: 32dd59f9 ("tty: n_gsm: fix race condition in gsmld_write()") Reported-by: N syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com> Tested-by: N syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com> Cc: stable <stable@kernel.org> Acked-by: N Jiri Slaby <jirislaby@kernel.org> Signed-off-by: N Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/2110618e-57f0-c1ce-b2ad-b6cacef3f60e@I-love.SAKURA.ne.jpSigned-off-by: N Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com> Reviewed-by: N Zheng Zengkai <zhengzengkai@huawei.com>

tty: n_gsm: initialize more members at gsm_alloc_mux()
stable inclusion from stable-v5.10.143 commit fb6cadd2a30fcfd5ec0b3b0207f32ea0630e64b5 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6D0U6 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fb6cadd2a30fcfd5ec0b3b0207f32ea0630e64b5 -------------------------------- commit 4bb1a53b upstream. syzbot is reporting use of uninitialized spinlock at gsmld_write() [1], for commit 32dd59f9 ("tty: n_gsm: fix race condition in gsmld_write()") allows accessing gsm->tx_lock before gsm_activate_mux() initializes it. Since object initialization should be done right after allocation in order to avoid accessing uninitialized memory, move initialization of timer/work/waitqueue/spinlock from gsmld_open()/gsm_activate_mux() to gsm_alloc_mux(). Link: https://syzkaller.appspot.com/bug?extid=cf155def4e717db68a12 [1] Fixes: 32dd59f9 ("tty: n_gsm: fix race condition in gsmld_write()") Reported-by: N syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com> Tested-by: N syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com> Cc: stable <stable@kernel.org> Acked-by: N Jiri Slaby <jirislaby@kernel.org> Signed-off-by: N Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/2110618e-57f0-c1ce-b2ad-b6cacef3f60e@I-love.SAKURA.ne.jpSigned-off-by: N Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Jialin Zhang <zhangjialin11@huawei.com> Reviewed-by: N Zheng Zengkai <zhengzengkai@huawei.com>
0f7fa6cd · Tetsuo Handa · Jialin Zhang · c7087094 · 0f7fa6cd
隐藏空白更改
内联并排

Showing with 4 addition and 5 deletion

drivers/tty/n_gsm.c drivers/tty/n_gsm.c +4 -5

未找到文件。
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -2200,11 +2200,6 @@ static int gsm_activate_mux(struct gsm_mux *gsm)
 {
 	struct gsm_dlci *dlci;

-	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
-	init_waitqueue_head(&gsm->event);
-	spin_lock_init(&gsm->control_lock);
-	spin_lock_init(&gsm->tx_lock);
-
 	if (gsm->encoding == 0)
 		gsm->receive = gsm0_receive;
 	else
@@ -2306,6 +2301,10 @@ static struct gsm_mux *gsm_alloc_mux(void)
 	mutex_init(&gsm->mutex);
 	kref_init(&gsm->ref);
 	INIT_LIST_HEAD(&gsm->tx_list);
+	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
+	init_waitqueue_head(&gsm->event);
+	spin_lock_init(&gsm->control_lock);
+	spin_lock_init(&gsm->tx_lock);

 	gsm->t1 = T1;
 	gsm->t2 = T2;