This is a note to let you know that I've just added the patch titled
tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit 1e8ac41a8b614d7f9711efeb04018aed590e7664
Author: Duoming Zhou <duoming@xxxxxxxxxx>
Date: Sun Oct 2 12:07:09 2022 +0800
tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send
[ Upstream commit 7b7dfe4833c70a11cdfa51b38705103bd31eddaa ]
The function gsm_dlci_t1() is a timer handler that runs in an
atomic context, but it calls "kzalloc(..., GFP_KERNEL)" that
may sleep. As a result, the sleep-in-atomic-context bug will
happen. The process is shown below:
gsm_dlci_t1()
gsm_dlci_open()
gsm_modem_update()
gsm_modem_upd_via_msc()
gsm_control_send()
kzalloc(sizeof(.., GFP_KERNEL) //may sleep
This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to
GFP_ATOMIC in order to mitigate the bug.
Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20221002040709.27849-1-duoming@xxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
index 1d50f3ab4e5a..97f6860c911e 100644
--- a/drivers/tty/n_gsm.c
+++ b/drivers/tty/n_gsm.c
@@ -1425,7 +1425,7 @@ static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
unsigned int command, u8 *data, int clen)
{
struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
- GFP_KERNEL);
+ GFP_ATOMIC);
unsigned long flags;
if (ctrl == NULL)
return NULL;
