This is a note to let you know that I've just added the patch titled
n_gsm: avoid accessing freed memory during CMD_FCOFF condition
to the 3.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
n_gsm-avoid-accessing-freed-memory-during-cmd_fcoff-condition.patch
and it can be found in the queue-3.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 93ed2b137b974b6515f0c847438c7d78a567c1ce Mon Sep 17 00:00:00 2001
From: Russ Gorby <[email protected]>
Date: Mon, 13 Aug 2012 13:44:59 +0100
Subject: n_gsm: avoid accessing freed memory during CMD_FCOFF condition
From: Russ Gorby <[email protected]>
commit b4338e1efc339986cf6c0a3652906e914a86e2d3 upstream.
gsm_data_kick was recently modified to allow messages on the
tx queue bound for DLCI0 to flow even during FCOFF conditions.
Unfortunately we introduced a bug discovered by code inspection
where subsequent list traversers can access freed memory if
the DLCI0 messages were not all at the head of the list.
Replaced singly linked tx list w/ a list_head and used
provided interfaces for traversing and deleting members.
Signed-off-by: Russ Gorby <[email protected]>
Tested-by: Yin, Fengwei <[email protected]>
Signed-off-by: Alan Cox <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Ben Hutchings <[email protected]>
Cc: Rui Xiang <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/tty/n_gsm.c | 40 +++++++++++++---------------------------
1 file changed, 13 insertions(+), 27 deletions(-)
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -108,7 +108,7 @@ struct gsm_mux_net {
*/
struct gsm_msg {
- struct gsm_msg *next;
+ struct list_head list;
u8 addr; /* DLCI address + flags */
u8 ctrl; /* Control byte + flags */
unsigned int len; /* Length of data block (can be zero) */
@@ -245,8 +245,7 @@ struct gsm_mux {
unsigned int tx_bytes; /* TX data outstanding */
#define TX_THRESH_HI 8192
#define TX_THRESH_LO 2048
- struct gsm_msg *tx_head; /* Pending data packets */
- struct gsm_msg *tx_tail;
+ struct list_head tx_list; /* Pending data packets */
/* Control messages */
struct timer_list t2_timer; /* Retransmit timer for commands */
@@ -663,7 +662,7 @@ static struct gsm_msg *gsm_data_alloc(st
m->len = len;
m->addr = addr;
m->ctrl = ctrl;
- m->next = NULL;
+ INIT_LIST_HEAD(&m->list);
return m;
}
@@ -681,16 +680,13 @@ static struct gsm_msg *gsm_data_alloc(st
static void gsm_data_kick(struct gsm_mux *gsm)
{
- struct gsm_msg *msg = gsm->tx_head;
- struct gsm_msg *free_msg;
+ struct gsm_msg *msg, *nmsg;
int len;
int skip_sof = 0;
- while (msg) {
- if (gsm->constipated && msg->addr) {
- msg = msg->next;
+ list_for_each_entry_safe(msg, nmsg, &gsm->tx_list, list) {
+ if (gsm->constipated && msg->addr)
continue;
- }
if (gsm->encoding != 0) {
gsm->txframe[0] = GSM1_SOF;
len = gsm_stuff_frame(msg->data,
@@ -718,14 +714,9 @@ static void gsm_data_kick(struct gsm_mux
burst */
skip_sof = 1;
- if (gsm->tx_head == msg)
- gsm->tx_head = msg->next;
- free_msg = msg;
- msg = msg->next;
- kfree(free_msg);
+ list_del(&msg->list);
+ kfree(msg);
}
- if (!gsm->tx_head)
- gsm->tx_tail = NULL;
}
/**
@@ -774,11 +765,7 @@ static void __gsm_data_queue(struct gsm_
msg->data = dp;
/* Add to the actual output queue */
- if (gsm->tx_tail)
- gsm->tx_tail->next = msg;
- else
- gsm->tx_head = msg;
- gsm->tx_tail = msg;
+ list_add_tail(&msg->list, &gsm->tx_list);
gsm->tx_bytes += msg->len;
gsm_data_kick(gsm);
}
@@ -2052,7 +2039,7 @@ void gsm_cleanup_mux(struct gsm_mux *gsm
{
int i;
struct gsm_dlci *dlci = gsm->dlci[0];
- struct gsm_msg *txq;
+ struct gsm_msg *txq, *utxq;
struct gsm_control *gc;
gsm->dead = 1;
@@ -2087,11 +2074,9 @@ void gsm_cleanup_mux(struct gsm_mux *gsm
if (gsm->dlci[i])
gsm_dlci_release(gsm->dlci[i]);
/* Now wipe the queues */
- for (txq = gsm->tx_head; txq != NULL; txq = gsm->tx_head) {
- gsm->tx_head = txq->next;
+ list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list)
kfree(txq);
- }
- gsm->tx_tail = NULL;
+ INIT_LIST_HEAD(&gsm->tx_list);
}
EXPORT_SYMBOL_GPL(gsm_cleanup_mux);
@@ -2202,6 +2187,7 @@ struct gsm_mux *gsm_alloc_mux(void)
}
spin_lock_init(&gsm->lock);
kref_init(&gsm->ref);
+ INIT_LIST_HEAD(&gsm->tx_list);
gsm->t1 = T1;
gsm->t2 = T2;
Patches currently in stable-queue which might be from [email protected] are
queue-3.4/n_gsm-flow-control-handling-in-mux-driver.patch
queue-3.4/n_gsm-replace-kfree_skb-w-appropriate-dev_-versions.patch
queue-3.4/n_gsm-avoid-accessing-freed-memory-during-cmd_fcoff-condition.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
