| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250513024212.74658-2-cuiyunhui@bytedance.com>
Date: Tue, 13 May 2025 10:42:10 +0800
From: Yunhui Cui <cuiyunhui@...edance.com>
To: arnd@...db.de,
andriy.shevchenko@...ux.intel.com,
benjamin.larsson@...exis.eu,
cuiyunhui@...edance.com,
gregkh@...uxfoundation.org,
heikki.krogerus@...ux.intel.com,
ilpo.jarvinen@...ux.intel.com,
jirislaby@...nel.org,
jkeeping@...usicbrands.com,
john.ogness@...utronix.de,
linux-kernel@...r.kernel.org,
linux-serial@...r.kernel.org,
markus.mayer@...aro.org,
matt.porter@...aro.org,
namcao@...utronix.de,
paulmck@...nel.org,
pmladek@...e.com,
schnelle@...ux.ibm.com,
sunilvl@...tanamicro.com,
tim.kryger@...aro.org
Subject: [PATCH v6 2/4] serial: 8250: avoid potential PSLVERR issue
When the PSLVERR_RESP_EN parameter is set to 1, reading UART_RX while
the FIFO is enabled and UART_LSR_DR is not set will generate a PSLVERR
error.
Failure to check the UART_LSR_DR before reading UART_RX, or the non-
atomic nature of clearing the FIFO and reading UART_RX, poses
potential risks that could lead to PSLVERR.
PSLVERR is addressed through two methods. One is to introduce
serial8250_discard_data() to check whether UART_LSR_DR is set before
reading UART_RX, thus solving the PSLVERR issue when the FIFO is
enabled. The other is to place FIFO clearing and reading of UART_RX
under port->lock.
Signed-off-by: Yunhui Cui <cuiyunhui@...edance.com>
---
drivers/tty/serial/8250/8250.h | 13 ++++++++
drivers/tty/serial/8250/8250_port.c | 47 +++++++++++++++--------------
2 files changed, 38 insertions(+), 22 deletions(-)
diff --git a/drivers/tty/serial/8250/8250.h b/drivers/tty/serial/8250/8250.h
index 18530c31a5981..b3fb8a550db35 100644
--- a/drivers/tty/serial/8250/8250.h
+++ b/drivers/tty/serial/8250/8250.h
@@ -162,6 +162,19 @@ static inline u16 serial_lsr_in(struct uart_8250_port *up)
return lsr;
}
+/*
+ * To avoid PSLVERR, check UART_LSR_DR in UART_LSR before
+ * reading UART_RX.
+ */
+static inline void serial8250_discard_data(struct uart_8250_port *up)
+{
+ u16 lsr;
+
+ lsr = serial_in(up, UART_LSR);
+ if (lsr & UART_LSR_DR)
+ serial_in(up, UART_RX);
+}
+
/*
* For the 16C950
*/
diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
index 07fe818dffa34..9a04f24b0c762 100644
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -1353,9 +1353,8 @@ static void autoconfig_irq(struct uart_8250_port *up)
/* Synchronize UART_IER access against the console. */
uart_port_lock_irq(port);
serial_out(up, UART_IER, UART_IER_ALL_INTR);
+ serial8250_discard_data(up);
uart_port_unlock_irq(port);
- serial_in(up, UART_LSR);
- serial_in(up, UART_RX);
serial_in(up, UART_IIR);
serial_in(up, UART_MSR);
serial_out(up, UART_TX, 0xFF);
@@ -2133,25 +2132,22 @@ static void wait_for_xmitr(struct uart_8250_port *up, int bits)
static int serial8250_get_poll_char(struct uart_port *port)
{
struct uart_8250_port *up = up_to_u8250p(port);
- int status;
+ int status = NO_POLL_CHAR;
u16 lsr;
+ unsigned long flags;
serial8250_rpm_get(up);
+ uart_port_lock_irqsave(port, &flags);
lsr = serial_port_in(port, UART_LSR);
+ if (lsr & UART_LSR_DR)
+ status = serial_port_in(port, UART_RX);
+ uart_port_unlock_irqrestore(port, flags);
- if (!(lsr & UART_LSR_DR)) {
- status = NO_POLL_CHAR;
- goto out;
- }
-
- status = serial_port_in(port, UART_RX);
-out:
serial8250_rpm_put(up);
return status;
}
-
static void serial8250_put_poll_char(struct uart_port *port,
unsigned char c)
{
@@ -2260,13 +2256,20 @@ int serial8250_do_startup(struct uart_port *port)
* Clear the FIFO buffers and disable them.
* (they will be reenabled in set_termios())
*/
+ uart_port_lock_irqsave(port, &flags);
serial8250_clear_fifos(up);
/*
- * Clear the interrupt registers.
+ * Read UART_RX to clear interrupts (e.g., Character Timeout).
+ * To prevent PSLVERR, we can either disable the FIFO before reading
+ * UART_RX or read UART_RX only when UART_LSR_DR is set while the FIFO
+ * remains enabled. If using the latter approach to avoid PSLVERR, it
+ * creates a contradiction with the interrupt-clearing (see the
+ * rx_timeout handling in dw8250_handle_irq()).
*/
serial_port_in(port, UART_LSR);
serial_port_in(port, UART_RX);
+ uart_port_unlock_irqrestore(port, flags);
serial_port_in(port, UART_IIR);
serial_port_in(port, UART_MSR);
@@ -2423,15 +2426,13 @@ int serial8250_do_startup(struct uart_port *port)
}
}
- uart_port_unlock_irqrestore(port, flags);
-
/*
* Clear the interrupt registers again for luck, and clear the
* saved flags to avoid getting false values from polling
* routines or the previous session.
*/
- serial_port_in(port, UART_LSR);
- serial_port_in(port, UART_RX);
+ serial8250_discard_data(up);
+ uart_port_unlock_irqrestore(port, flags);
serial_port_in(port, UART_IIR);
serial_port_in(port, UART_MSR);
up->lsr_saved_flags = 0;
@@ -2513,7 +2514,6 @@ void serial8250_do_shutdown(struct uart_port *port)
port->mctrl &= ~TIOCM_OUT2;
serial8250_set_mctrl(port, port->mctrl);
- uart_port_unlock_irqrestore(port, flags);
/*
* Disable break condition and FIFOs
@@ -2521,6 +2521,14 @@ void serial8250_do_shutdown(struct uart_port *port)
serial_port_out(port, UART_LCR,
serial_port_in(port, UART_LCR) & ~UART_LCR_SBC);
serial8250_clear_fifos(up);
+ /*
+ * Read data port to reset things, and then unlink from
+ * the IRQ chain.
+ * Since reading UART_RX clears interrupts, doing so with
+ * FIFO disabled won't trigger PSLVERR.
+ */
+ serial_port_in(port, UART_RX);
+ uart_port_unlock_irqrestore(port, flags);
#ifdef CONFIG_SERIAL_8250_RSA
/*
@@ -2529,11 +2537,6 @@ void serial8250_do_shutdown(struct uart_port *port)
disable_rsa(up);
#endif
- /*
- * Read data port to reset things, and then unlink from
- * the IRQ chain.
- */
- serial_port_in(port, UART_RX);
serial8250_rpm_put(up);
up->ops->release_irq(up);
--
2.39.2
Powered by blists - more mailing lists