Skip to content

Commit 4bb1a53

Browse files
Tetsuo Handagregkh
Tetsuo Handa
authored and
gregkh
committed
tty: n_gsm: initialize more members at gsm_alloc_mux()
syzbot is reporting use of uninitialized spinlock at gsmld_write() [1], for commit 32dd59f ("tty: n_gsm: fix race condition in gsmld_write()") allows accessing gsm->tx_lock before gsm_activate_mux() initializes it. Since object initialization should be done right after allocation in order to avoid accessing uninitialized memory, move initialization of timer/work/waitqueue/spinlock from gsmld_open()/gsm_activate_mux() to gsm_alloc_mux(). Link: https://syzkaller.appspot.com/bug?extid=cf155def4e717db68a12 [1] Fixes: 32dd59f ("tty: n_gsm: fix race condition in gsmld_write()") Reported-by: syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com> Tested-by: syzbot <syzbot+cf155def4e717db68a12@syzkaller.appspotmail.com> Cc: stable <stable@kernel.org> Acked-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Link: https://lore.kernel.org/r/2110618e-57f0-c1ce-b2ad-b6cacef3f60e@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent f16c6d2 commit 4bb1a53

File tree

1 file changed

+6
-11
lines changed

1 file changed

+6
-11
lines changed

drivers/tty/n_gsm.c

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -2501,13 +2501,6 @@ static int gsm_activate_mux(struct gsm_mux *gsm)
25012501
if (dlci == NULL)
25022502
return -ENOMEM;
25032503

2504-
timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
2505-
timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2506-
INIT_WORK(&gsm->tx_work, gsmld_write_task);
2507-
init_waitqueue_head(&gsm->event);
2508-
spin_lock_init(&gsm->control_lock);
2509-
spin_lock_init(&gsm->tx_lock);
2510-
25112504
if (gsm->encoding == 0)
25122505
gsm->receive = gsm0_receive;
25132506
else
@@ -2612,6 +2605,12 @@ static struct gsm_mux *gsm_alloc_mux(void)
26122605
kref_init(&gsm->ref);
26132606
INIT_LIST_HEAD(&gsm->tx_ctrl_list);
26142607
INIT_LIST_HEAD(&gsm->tx_data_list);
2608+
timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
2609+
timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2610+
INIT_WORK(&gsm->tx_work, gsmld_write_task);
2611+
init_waitqueue_head(&gsm->event);
2612+
spin_lock_init(&gsm->control_lock);
2613+
spin_lock_init(&gsm->tx_lock);
26152614

26162615
gsm->t1 = T1;
26172616
gsm->t2 = T2;
@@ -2947,10 +2946,6 @@ static int gsmld_open(struct tty_struct *tty)
29472946

29482947
gsmld_attach_gsm(tty, gsm);
29492948

2950-
timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
2951-
timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2952-
INIT_WORK(&gsm->tx_work, gsmld_write_task);
2953-
29542949
return 0;
29552950
}
29562951

0 commit comments

Comments
 (0)