From patchwork Tue Jul 16 16:54:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: George Kennedy X-Patchwork-Id: 812952 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8E1D38F86; Tue, 16 Jul 2024 16:57:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.177.32 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721149060; cv=none; b=BOxqi18FUrudx/WqvrLNR0/id2lDyMr0TNQLSeRcSIjMqEqHFw/Zq9usd9dsrWnMcp3CQPTShMPwPX8AQREn+qCbROqo+vikW28+WR4wstJV3EARl6JOn0lY1j16U4kS/2UlQELz3ChLiR1DfxPd6BCZajqiyq74Z5+QI93ZnTI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721149060; c=relaxed/simple; bh=KftzSd0ezYHEzF5fywwseh+yzw+kXUe0ypVapiuvJTA=; h=From:To:Cc:Subject:Date:Message-Id; b=pya7gHyDZ+JW5lWXeVkL+tJzCbIx7fjBujBSjpqM5qgDgHd0YatDzavy50eCq1ZZNTc8Rk+WQatKZaOtrOThgmujuAoThnrQAWnp76Hq7ISN5pijd/MD6bJOHrpw7ug2aEVk6ufJ26RX5z7+wOngMPBnjgY+GzOXy3JeAt5ISXs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=Nyh0O/vy; arc=none smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="Nyh0O/vy" Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46GFMTUE019559; Tue, 16 Jul 2024 16:57:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id; s=corp-2023-11-20; bh=QJMXMY B3gCRhH1WKrjs5xzAXx0PQ2pQ4aV05ctyf6R8=; b=Nyh0O/vymk7CSsZI2UMyHS tr9BJsV54r86CE38ZFFuFcqMF9aoN9N9/rGbFMWDKbGjyDnp/eVHkNUwe/SYAVUO 7ihkJgkUzIXP/IhmWaCN2Zh2+jVr/4etzHLCIe9FPIUUv+4xkLZGrZc3xZEYZUdn +rGb53NYt0493Mc9pPne17XMeHEYmdVkcGvPVGfgW/qfsBHdt+f3dSZykURyse4C rzj2RDMaAOI0m+SiUXQZQQQwgroqv6Q48Q9aPXmPytgt1kDB3RxLW+UsWS6kO7X4 EgSIbJEydEe/R/kC4YrJsouqV4foCrSFuy4jjJK3a7cBZ+AqMJTZBzeYCVph/n7A == Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40bgc2ehtp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 16 Jul 2024 16:57:16 +0000 (GMT) Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 46GFmkhl040590; Tue, 16 Jul 2024 16:57:15 GMT Received: from pps.reinject (localhost [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 40bg19maef-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 16 Jul 2024 16:57:15 +0000 Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 46GGvFsf010989; Tue, 16 Jul 2024 16:57:15 GMT Received: from gkennedy-linux.us.oracle.com (gkennedy-linux.us.oracle.com [10.152.170.45]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTP id 40bg19madv-1; Tue, 16 Jul 2024 16:57:15 +0000 From: George Kennedy To: gregkh@linuxfoundation.org, jirislaby@kernel.org, tony@atomide.com, andriy.shevchenko@linux.intel.com, l.sanfilippo@kunbus.com, tglx@linutronix.de, linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org Cc: george.kennedy@oracle.com, stable@vger.kernel.org, harshit.m.mogalapalli@oracle.com Subject: [PATCH] serial: core: check uartclk for zero to avoid divide by zero Date: Tue, 16 Jul 2024 11:54:08 -0500 Message-Id: <1721148848-9784-1-git-send-email-george.kennedy@oracle.com> X-Mailer: git-send-email 1.8.3.1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-15_19,2024-07-16_02,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 bulkscore=0 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2406180000 definitions=main-2407160125 X-Proofpoint-GUID: RAdmJxv5KT9oBH_Seb1IUCxHRQ8tbR0m X-Proofpoint-ORIG-GUID: RAdmJxv5KT9oBH_Seb1IUCxHRQ8tbR0m Precedence: bulk X-Mailing-List: linux-serial@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Calling ioctl TIOCSSERIAL with an invalid baud_base can result in uartclk being zero, which will result in a divide by zero error in uart_get_divisor(). The check for uartclk being zero in uart_set_info() needs to be done before other settings are made as subsequent calls to ioctl TIOCSSERIAL for the same port would be impacted if the uartclk check was done where uartclk gets set. Oops: divide error: 0000 PREEMPT SMP KASAN PTI RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) Call Trace: serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 drivers/tty/serial/8250/8250_port.c:2589) serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 drivers/tty/serial/8250/8250_port.c:2741) serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) uart_change_line_settings (./include/linux/spinlock.h:376 ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) uart_port_startup (drivers/tty/serial/serial_core.c:342) uart_startup (drivers/tty/serial/serial_core.c:368) uart_set_info (drivers/tty/serial/serial_core.c:1034) uart_set_info_user (drivers/tty/serial/serial_core.c:1059) tty_set_serial (drivers/tty/tty_io.c:2637) tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Reported-by: syzkaller Signed-off-by: George Kennedy --- serial_struct baud_base=0x30000000 will cause the crash. drivers/tty/serial/serial_core.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 2a8006e3d687..9967444eae10 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -881,6 +881,14 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + if (!(uport->flags & UPF_FIXED_PORT)) { + unsigned int uartclk = new_info->baud_base * 16; + /* check needs to be done here before other settings made */ + if (uartclk == 0) { + retval = -EINVAL; + goto exit; + } + } if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port ||