From: Greg Kroah-Hartman Date: Mon, 12 Aug 2024 11:44:06 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v6.1.105~72 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=613fd0f5567a53a62c496abe454ef81a58a0700a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch --- diff --git a/queue-4.19/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch b/queue-4.19/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch new file mode 100644 index 00000000000..d7e0150616d --- /dev/null +++ b/queue-4.19/serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch @@ -0,0 +1,68 @@ +From 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 Mon Sep 17 00:00:00 2001 +From: George Kennedy +Date: Wed, 17 Jul 2024 07:24:38 -0500 +Subject: serial: core: check uartclk for zero to avoid divide by zero + +From: George Kennedy + +commit 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 upstream. + +Calling ioctl TIOCSSERIAL with an invalid baud_base can +result in uartclk being zero, which will result in a +divide by zero error in uart_get_divisor(). The check for +uartclk being zero in uart_set_info() needs to be done +before other settings are made as subsequent calls to +ioctl TIOCSSERIAL for the same port would be impacted if +the uartclk check was done where uartclk gets set. + +Oops: divide error: 0000 PREEMPT SMP KASAN PTI +RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) +Call Trace: + +serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 + drivers/tty/serial/8250/8250_port.c:2589) +serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 + drivers/tty/serial/8250/8250_port.c:2741) +serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) +uart_change_line_settings (./include/linux/spinlock.h:376 + ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) +uart_port_startup (drivers/tty/serial/serial_core.c:342) +uart_startup (drivers/tty/serial/serial_core.c:368) +uart_set_info (drivers/tty/serial/serial_core.c:1034) +uart_set_info_user (drivers/tty/serial/serial_core.c:1059) +tty_set_serial (drivers/tty/tty_io.c:2637) +tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) +__x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 + fs/ioctl.c:893 fs/ioctl.c:893) +do_syscall_64 (arch/x86/entry/common.c:52 + (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + +Reported-by: syzkaller +Cc: stable@vger.kernel.org +Signed-off-by: George Kennedy +Rule: add +Link: https://lore.kernel.org/stable/1721148848-9784-1-git-send-email-george.kennedy%40oracle.com +Link: https://lore.kernel.org/r/1721219078-3209-1-git-send-email-george.kennedy@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/serial_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -857,6 +857,14 @@ static int uart_set_info(struct tty_stru + new_flags = (__force upf_t)new_info->flags; + old_custom_divisor = uport->custom_divisor; + ++ if (!(uport->flags & UPF_FIXED_PORT)) { ++ unsigned int uartclk = new_info->baud_base * 16; ++ /* check needs to be done here before other settings made */ ++ if (uartclk == 0) { ++ retval = -EINVAL; ++ goto exit; ++ } ++ } + if (!capable(CAP_SYS_ADMIN)) { + retval = -EPERM; + if (change_irq || change_port || diff --git a/queue-4.19/series b/queue-4.19/series index 07379f07a8d..ea5f25bbf1d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -178,3 +178,4 @@ tick-broadcast-move-per-cpu-pointer-access-into-the-atomic-section.patch ntp-clamp-maxerror-and-esterror-to-operating-range.patch driver-core-fix-uevent_show-vs-driver-detach-race.patch ntp-safeguard-against-time_constant-overflow.patch +serial-core-check-uartclk-for-zero-to-avoid-divide-by-zero.patch