2024-04-16 12:58:30

by Parker Newman

[permalink] [raw]
Subject: [PATCH v3 8/8] serial: exar: fix: fix crash during shutdown if setup fails

From: Parker Newman <[email protected]>

If a port fails to register with serial8250_register_8250_port() the
kernel can crash when shutting down or module removal.

This is because "priv->line[i]" will be set to a negative error code
and in the exar_pci_remove() function serial8250_unregister_port() is
called without checking if the "priv->line[i]" value is valid.

Signed-off-by: Parker Newman <[email protected]>
---
drivers/tty/serial/8250/8250_exar.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
index 501b9f3e9c89..f5a395ed69d1 100644
--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -1671,7 +1671,8 @@ static void exar_pci_remove(struct pci_dev *pcidev)
unsigned int i;

for (i = 0; i < priv->nr; i++)
- serial8250_unregister_port(priv->line[i]);
+ if (priv->line[i] >= 0)
+ serial8250_unregister_port(priv->line[i]);

/* Ensure that every init quirk is properly torn down */
if (priv->board->exit)
--
2.43.2



2024-04-17 11:19:16

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH v3 8/8] serial: exar: fix: fix crash during shutdown if setup fails

On Tue, Apr 16, 2024 at 08:55:35AM -0400, Parker Newman wrote:
> From: Parker Newman <[email protected]>
>
> If a port fails to register with serial8250_register_8250_port() the
> kernel can crash when shutting down or module removal.
>
> This is because "priv->line[i]" will be set to a negative error code
> and in the exar_pci_remove() function serial8250_unregister_port() is
> called without checking if the "priv->line[i]" value is valid.
>
> Signed-off-by: Parker Newman <[email protected]>
> ---
> drivers/tty/serial/8250/8250_exar.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
> index 501b9f3e9c89..f5a395ed69d1 100644
> --- a/drivers/tty/serial/8250/8250_exar.c
> +++ b/drivers/tty/serial/8250/8250_exar.c
> @@ -1671,7 +1671,8 @@ static void exar_pci_remove(struct pci_dev *pcidev)
> unsigned int i;
>
> for (i = 0; i < priv->nr; i++)
> - serial8250_unregister_port(priv->line[i]);
> + if (priv->line[i] >= 0)
> + serial8250_unregister_port(priv->line[i]);

Is this a bug in the current driver? If so, can you resend it on its
own so we can get it merged now?

thanks,

greg k-h

2024-04-17 12:24:29

by Parker Newman

[permalink] [raw]
Subject: Re: [PATCH v3 8/8] serial: exar: fix: fix crash during shutdown if setup fails

On Wed, 17 Apr 2024 13:19:07 +0200
Greg Kroah-Hartman <[email protected]> wrote:

> On Tue, Apr 16, 2024 at 08:55:35AM -0400, Parker Newman wrote:
> > From: Parker Newman <[email protected]>
> >
> > If a port fails to register with serial8250_register_8250_port() the
> > kernel can crash when shutting down or module removal.
> >
> > This is because "priv->line[i]" will be set to a negative error code
> > and in the exar_pci_remove() function serial8250_unregister_port() is
> > called without checking if the "priv->line[i]" value is valid.
> >
> > Signed-off-by: Parker Newman <[email protected]>
> > ---
> > drivers/tty/serial/8250/8250_exar.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
> > index 501b9f3e9c89..f5a395ed69d1 100644
> > --- a/drivers/tty/serial/8250/8250_exar.c
> > +++ b/drivers/tty/serial/8250/8250_exar.c
> > @@ -1671,7 +1671,8 @@ static void exar_pci_remove(struct pci_dev *pcidev)
> > unsigned int i;
> >
> > for (i = 0; i < priv->nr; i++)
> > - serial8250_unregister_port(priv->line[i]);
> > + if (priv->line[i] >= 0)
> > + serial8250_unregister_port(priv->line[i]);
>
> Is this a bug in the current driver? If so, can you resend it on its
> own so we can get it merged now?
>

Yes it is, I can split this one out and send it on its own.
Thanks,
Parker

> thanks,
>
> greg k-h


2024-04-17 13:56:08

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH v3 8/8] serial: exar: fix: fix crash during shutdown if setup fails

On Wed, Apr 17, 2024 at 08:24:13AM -0400, Parker Newman wrote:
> On Wed, 17 Apr 2024 13:19:07 +0200
> Greg Kroah-Hartman <[email protected]> wrote:
>
> > On Tue, Apr 16, 2024 at 08:55:35AM -0400, Parker Newman wrote:
> > > From: Parker Newman <[email protected]>
> > >
> > > If a port fails to register with serial8250_register_8250_port() the
> > > kernel can crash when shutting down or module removal.
> > >
> > > This is because "priv->line[i]" will be set to a negative error code
> > > and in the exar_pci_remove() function serial8250_unregister_port() is
> > > called without checking if the "priv->line[i]" value is valid.
> > >
> > > Signed-off-by: Parker Newman <[email protected]>
> > > ---
> > > drivers/tty/serial/8250/8250_exar.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
> > > index 501b9f3e9c89..f5a395ed69d1 100644
> > > --- a/drivers/tty/serial/8250/8250_exar.c
> > > +++ b/drivers/tty/serial/8250/8250_exar.c
> > > @@ -1671,7 +1671,8 @@ static void exar_pci_remove(struct pci_dev *pcidev)
> > > unsigned int i;
> > >
> > > for (i = 0; i < priv->nr; i++)
> > > - serial8250_unregister_port(priv->line[i]);
> > > + if (priv->line[i] >= 0)
> > > + serial8250_unregister_port(priv->line[i]);
> >
> > Is this a bug in the current driver? If so, can you resend it on its
> > own so we can get it merged now?
> >
>
> Yes it is, I can split this one out and send it on its own.

Great! Bonus points if you can find the commit id it fixes and add a
"Fixes:" tag to the signed-off-by area. If not, I can guess :)

thanks,

greg k-h

2024-04-17 16:33:31

by Parker Newman

[permalink] [raw]
Subject: Re: [PATCH v3 8/8] serial: exar: fix: fix crash during shutdown if setup fails

On Wed, 17 Apr 2024 15:30:56 +0200
Greg Kroah-Hartman <[email protected]> wrote:

> On Wed, Apr 17, 2024 at 08:24:13AM -0400, Parker Newman wrote:
> > On Wed, 17 Apr 2024 13:19:07 +0200
> > Greg Kroah-Hartman <[email protected]> wrote:
> >
> > > On Tue, Apr 16, 2024 at 08:55:35AM -0400, Parker Newman wrote:
> > > > From: Parker Newman <[email protected]>
> > > >
> > > > If a port fails to register with serial8250_register_8250_port() the
> > > > kernel can crash when shutting down or module removal.
> > > >
> > > > This is because "priv->line[i]" will be set to a negative error code
> > > > and in the exar_pci_remove() function serial8250_unregister_port() is
> > > > called without checking if the "priv->line[i]" value is valid.
> > > >
> > > > Signed-off-by: Parker Newman <[email protected]>
> > > > ---
> > > > drivers/tty/serial/8250/8250_exar.c | 3 ++-
> > > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
> > > > index 501b9f3e9c89..f5a395ed69d1 100644
> > > > --- a/drivers/tty/serial/8250/8250_exar.c
> > > > +++ b/drivers/tty/serial/8250/8250_exar.c
> > > > @@ -1671,7 +1671,8 @@ static void exar_pci_remove(struct pci_dev *pcidev)
> > > > unsigned int i;
> > > >
> > > > for (i = 0; i < priv->nr; i++)
> > > > - serial8250_unregister_port(priv->line[i]);
> > > > + if (priv->line[i] >= 0)
> > > > + serial8250_unregister_port(priv->line[i]);
> > >
> > > Is this a bug in the current driver? If so, can you resend it on its
> > > own so we can get it merged now?
> > >
> >
> > Yes it is, I can split this one out and send it on its own.
>
> Great! Bonus points if you can find the commit id it fixes and add a
> "Fixes:" tag to the signed-off-by area. If not, I can guess :)
>
> thanks,
>
> greg k-h

After looking at this again and doing some testing this bug does not actually
happen with the driver in its current state. During my development I had it
happen but that would have been due to me messing around.

When "priv->line[i]" < 0 it breaks out of the for loop and priv->nr is set to "i".
so only the successfully registered ports will be unregistered in exar_pci_remove().

..
for (i = 0; i < nr_ports && i < maxnr; i++) {
rc = board->setup(priv, pcidev, &uart, i);
if (rc) {
dev_err(&pcidev->dev, "Failed to setup port %u\n", i);
break;
}

dev_dbg(&pcidev->dev, "Setup PCI port: port %lx, irq %d, type %d\n",
uart.port.iobase, uart.port.irq, uart.port.iotype);

priv->line[i] = serial8250_register_8250_port(&uart);
if (priv->line[i] < 0) {
dev_err(&pcidev->dev,
"Couldn't register serial port %lx, irq %d, type %d, error %d\n",
uart.port.iobase, uart.port.irq,
uart.port.iotype, priv->line[i]);
break;
}
}
priv->nr = i;
..

Thanks,
Parker