Commit 3830e8c0 authored by Emil Kronborg's avatar Emil Kronborg Committed by openeuler-sync-bot
Browse files

serial: mxs-auart: add spinlock around changing cts state 

stable inclusion
from stable-v5.10.216
commit 0dc0637e6b16158af85945425821bfd0151adb37
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5H7
CVE: CVE-2024-27000

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0dc0637e6b16158af85945425821bfd0151adb37



--------------------------------

[ Upstream commit 54c4ec5f8c471b7c1137a1f769648549c423c026 ]

The uart_handle_cts_change() function in serial_core expects the caller
to hold uport->lock. For example, I have seen the below kernel splat,
when the Bluetooth driver is loaded on an i.MX28 board.

    [   85.119255] ------------[ cut here ]------------
    [   85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec
    [   85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs
    [   85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1
    [   85.151396] Hardware name: Freescale MXS (Device Tree)
    [   85.156679] Workqueue: hci0 hci_power_on [bluetooth]
    (...)
    [   85.191765]  uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4
    [   85.198787]  mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210
    (...)

Cc: stable@vger.kernel.org
Fixes: 4d90bb14 ("serial: core: Document and assert lock requirements for irq helpers")
Reviewed-by: default avatarFrank Li <Frank.Li@nxp.com>
Signed-off-by: default avatarEmil Kronborg <emil.kronborg@protonmail.com>
Link: https://lore.kernel.org/r/20240320121530.11348-1-emil.kronborg@protonmail.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarGONG, Ruiqi <gongruiqi1@huawei.com>
(cherry picked from commit c90ea48d)
parent 5d840153

drivers/tty/serial/mxs-auart.c

+6 −2
Original line number Diff line number Diff line
@@ -1122,11 +1122,13 @@ static void mxs_auart_set_ldisc(struct uart_port *port, 


static irqreturn_t mxs_auart_irq_handle(int irq, void *context)

{

	u32 istat;

	u32 istat, stat;

	struct mxs_auart_port *s = context;

	u32 mctrl_temp = s->mctrl_prev;

	u32 stat = mxs_read(s, REG_STAT);



	uart_port_lock(&s->port);



	stat = mxs_read(s, REG_STAT);

	istat = mxs_read(s, REG_INTR);



	/* ack irq */
@@ -1162,6 +1164,8 @@ static irqreturn_t mxs_auart_irq_handle(int irq, void *context) 
		istat &= ~AUART_INTR_TXIS;

	}



	uart_port_unlock(&s->port);



	return IRQ_HANDLED;

}