Memory safety vulnerability (out-of-bounds access)
Description
The patch fixes a memory-safety vulnerability in the HVC IUCV path. The function hvc_iucv_get_private previously used a bounds check that allowed an out-of-bounds access when the requested index num equaled the number of devices (num == hvc_iucv_devices). The code path returned hvc_iucv_table[num], which would access memory after the end of the hvc_iucv_table array. This could lead to out-of-bounds reads (and potentially writes) in kernel memory, depending on how the returned pointer is used. The fix changes the condition to if (num >= hvc_iucv_devices) to prevent the out-of-bounds access.
Proof of Concept
Pre-fix vulnerability scenario (conceptual PoC): There is an off-by-one bounds check in hvc_iucv_get_private. If an attacker or buggy code causes a call with num equal to the number of configured devices (num == hvc_iucv_devices), the function would access hvc_iucv_table[num], which is out of bounds. An exploit would require triggering the IUCV/hvc path with a crafted num equal to the device count and then using the returned pointer without additional validation.
Example (conceptual, not portable across builds):
// Pre-fix vulnerable version (conceptual)
static struct hvc_iucv_private *hvc_iucv_get_private(uint32_t num)
{
if (num > hvc_iucv_devices)
return NULL;
return hvc_iucv_table[num];
}
// Attack trigger (conceptual):
// Suppose there are N devices
uint32_t crafted_num = hvc_iucv_devices; // equals N
struct hvc_iucv_private *priv = hvc_iucv_get_private(crafted_num);
if (priv) {
// In the buggy path this could be a valid non-NULL pointer to memory beyond the table.
// Attacker could read/write priv->field or use priv as an arbitrary kernel pointer.
// This could crash the kernel or lead to memory corruption.
}
In a real system, triggering this would require an IUCV/HVC channel operation that supplies the channel index as the num value used by hvc_iucv_get_private. The PoC demonstrates the exact condition that would be exploitable prior to the fix: num == hvc_iucv_devices leading to an out-of-bounds access and potential memory corruption.
Commit Details
Author: Linus Torvalds
Date: 2026-04-19 15:44 UTC
Message:
Merge tag 'tty-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial updates from Greg KH:
"Here is the set of tty and serial driver changes for 7.1-rc1.
Not much here this cycle, biggest thing is the removal of an old
driver that never got any actual hardware support (esp32), and the
second try to moving the tty ports to their own workqueues (first try
was in 7.0-rc1 but was reverted due to problems)
Otherwise it's just a small set of driver updates and some vt modifier
key enhancements.
All have been in linux-next for a while with no reported issues"
* tag 'tty-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: (35 commits)
tty: serial: ip22zilog: Fix section mispatch warning
hvc/xen: Check console connection flag
serial: sh-sci: Add support for RZ/G3L RSCI
dt-bindings: serial: renesas,rsci: Document RZ/G3L SoC
tty: atmel_serial: update outdated reference to atmel_tasklet_func()
serial: xilinx_uartps: Drop unused include
serial: qcom-geni: drop stray newline format specifier
serial: 8250: loongson: Enable building on MIPS Loongson64
dt-bindings: serial: 8250: Add Loongson 3A4000 uart compatible
serial: 8250_fintek: Add support for F81214E
tty: tty_port: add workqueue to flip TTY buffer
vt: support ITU-T T.416 color subparameters
serial: qcom-geni: Fix RTS behavior with flow control
tty: serial: imx: keep dma request disabled before dma transfer setup
tty: serial: 8250: Add SystemBase Multi I/O cards
serial: pic32_uart: allow driver to be compiled on all architectures with COMPILE_TEST
serial: tegra: remove Kconfig dependency on APB DMA controller
dt-bindings: serial: amlogic,meson-uart: Add compatible string for A9
dt-bindings: serial: atmel,at91-usart: add microchip,lan9691-usart
serial: auart: check clk_enable() return in console write
...
Triage Assessment
Vulnerability Type: Memory safety
Confidence: MEDIUM
Reasoning:
The patch fixes an off-by-one / bounds check in hvc_iucv_get_private, changing a comparison from num > devices to num >= devices. This prevents out-of-bounds access to the hvc_iucv_table array, addressing a potential memory safety vulnerability in the HVC IUCV handling path.
Verification Assessment
Vulnerability Type: Memory safety vulnerability (out-of-bounds access)
Confidence: MEDIUM
Affected Versions: v7.0-rc6 and earlier (before this fix was merged)
Code Diff
diff --git a/Documentation/devicetree/bindings/serial/8250.yaml b/Documentation/devicetree/bindings/serial/8250.yaml
index e9e07c2356bc9c..bb7b9c87a8072e 100644
--- a/Documentation/devicetree/bindings/serial/8250.yaml
+++ b/Documentation/devicetree/bindings/serial/8250.yaml
@@ -182,6 +182,7 @@ properties:
- const: ns16550a
- items:
- enum:
+ - loongson,ls3a4000-uart
- loongson,ls3a5000-uart
- loongson,ls3a6000-uart
- loongson,ls2k2000-uart
diff --git a/Documentation/devicetree/bindings/serial/amlogic,meson-uart.yaml b/Documentation/devicetree/bindings/serial/amlogic,meson-uart.yaml
index d8ad1bb6172da2..a2702319685d54 100644
--- a/Documentation/devicetree/bindings/serial/amlogic,meson-uart.yaml
+++ b/Documentation/devicetree/bindings/serial/amlogic,meson-uart.yaml
@@ -56,6 +56,7 @@ properties:
items:
- enum:
- amlogic,a4-uart
+ - amlogic,a9-uart
- amlogic,s6-uart
- amlogic,s7-uart
- amlogic,s7d-uart
diff --git a/Documentation/devicetree/bindings/serial/atmel,at91-usart.yaml b/Documentation/devicetree/bindings/serial/atmel,at91-usart.yaml
index 087a8926f8b4ed..375cd50bc5cca1 100644
--- a/Documentation/devicetree/bindings/serial/atmel,at91-usart.yaml
+++ b/Documentation/devicetree/bindings/serial/atmel,at91-usart.yaml
@@ -24,6 +24,7 @@ properties:
- const: atmel,at91sam9260-usart
- items:
- enum:
+ - microchip,lan9691-usart
- microchip,sam9x60-usart
- microchip,sam9x7-usart
- microchip,sama7d65-usart
diff --git a/Documentation/devicetree/bindings/serial/renesas,rsci.yaml b/Documentation/devicetree/bindings/serial/renesas,rsci.yaml
index e059b14775ebc8..85ebb3056066fb 100644
--- a/Documentation/devicetree/bindings/serial/renesas,rsci.yaml
+++ b/Documentation/devicetree/bindings/serial/renesas,rsci.yaml
@@ -14,6 +14,7 @@ properties:
compatible:
oneOf:
- enum:
+ - renesas,r9a08g046-rsci # RZ/G3L
- renesas,r9a09g047-rsci # RZ/G3E
- renesas,r9a09g077-rsci # RZ/T2H
@@ -145,6 +146,31 @@ allOf:
- resets
- reset-names
+ - if:
+ properties:
+ compatible:
+ contains:
+ const: renesas,r9a08g046-rsci
+ then:
+ properties:
+ interrupts:
+ minItems: 6
+
+ interrupt-names:
+ minItems: 6
+
+ clocks:
+ minItems: 2
+ maxItems: 3
+
+ clock-names:
+ minItems: 2
+ maxItems: 3
+
+ required:
+ - resets
+ - reset-names
+
unevaluatedProperties: false
examples:
diff --git a/Documentation/devicetree/bindings/serial/snps-dw-apb-uart.yaml b/Documentation/devicetree/bindings/serial/snps-dw-apb-uart.yaml
index 6efe43089a74d3..685c1eceb78257 100644
--- a/Documentation/devicetree/bindings/serial/snps-dw-apb-uart.yaml
+++ b/Documentation/devicetree/bindings/serial/snps-dw-apb-uart.yaml
@@ -71,6 +71,7 @@ properties:
- rockchip,rk3568-uart
- rockchip,rk3576-uart
- rockchip,rk3588-uart
+ - rockchip,rv1103b-uart
- rockchip,rv1108-uart
- rockchip,rv1126-uart
- sophgo,sg2044-uart
diff --git a/drivers/tty/hvc/hvc_iucv.c b/drivers/tty/hvc/hvc_iucv.c
index 1dcdb9e99bd8a6..37db8a3e5158e6 100644
--- a/drivers/tty/hvc/hvc_iucv.c
+++ b/drivers/tty/hvc/hvc_iucv.c
@@ -130,7 +130,7 @@ static struct iucv_handler hvc_iucv_handler = {
*/
static struct hvc_iucv_private *hvc_iucv_get_private(uint32_t num)
{
- if (num > hvc_iucv_devices)
+ if (num >= hvc_iucv_devices)
return NULL;
return hvc_iucv_table[num];
}
diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
index cb427e93372dae..cc7f7091ed9a20 100644
--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -532,14 +532,16 @@ static void __init legacy_pty_init(void)
pty_driver = tty_alloc_driver(legacy_count,
TTY_DRIVER_RESET_TERMIOS |
TTY_DRIVER_REAL_RAW |
- TTY_DRIVER_DYNAMIC_ALLOC);
+ TTY_DRIVER_DYNAMIC_ALLOC |
+ TTY_DRIVER_NO_WORKQUEUE);
if (IS_ERR(pty_driver))
panic("Couldn't allocate pty driver");
pty_slave_driver = tty_alloc_driver(legacy_count,
TTY_DRIVER_RESET_TERMIOS |
TTY_DRIVER_REAL_RAW |
- TTY_DRIVER_DYNAMIC_ALLOC);
+ TTY_DRIVER_DYNAMIC_ALLOC |
+ TTY_DRIVER_NO_WORKQUEUE);
if (IS_ERR(pty_slave_driver))
panic("Couldn't allocate pty slave driver");
@@ -849,7 +851,8 @@ static void __init unix98_pty_init(void)
TTY_DRIVER_REAL_RAW |
TTY_DRIVER_DYNAMIC_DEV |
TTY_DRIVER_DEVPTS_MEM |
- TTY_DRIVER_DYNAMIC_ALLOC);
+ TTY_DRIVER_DYNAMIC_ALLOC |
+ TTY_DRIVER_NO_WORKQUEUE);
if (IS_ERR(ptm_driver))
panic("Couldn't allocate Unix98 ptm driver");
pts_driver = tty_alloc_driver(NR_UNIX98_PTY_MAX,
@@ -857,7 +860,8 @@ static void __init unix98_pty_init(void)
TTY_DRIVER_REAL_RAW |
TTY_DRIVER_DYNAMIC_DEV |
TTY_DRIVER_DEVPTS_MEM |
- TTY_DRIVER_DYNAMIC_ALLOC);
+ TTY_DRIVER_DYNAMIC_ALLOC |
+ TTY_DRIVER_NO_WORKQUEUE);
if (IS_ERR(pts_driver))
panic("Couldn't allocate Unix98 pts driver");
diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
index d2e2c5dfef9959..a428e88938eb78 100644
--- a/drivers/tty/serial/8250/8250_core.c
+++ b/drivers/tty/serial/8250/8250_core.c
@@ -524,7 +524,7 @@ console_initcall(univ8250_console_init);
struct uart_driver serial8250_reg = {
.owner = THIS_MODULE,
- .driver_name = "serial",
+ .driver_name = "serial_8250",
.dev_name = "ttyS",
.major = TTY_MAJOR,
.minor = 64,
diff --git a/drivers/tty/serial/8250/8250_fintek.c b/drivers/tty/serial/8250/8250_fintek.c
index b4461a89b8d0ca..976c5748905c12 100644
--- a/drivers/tty/serial/8250/8250_fintek.c
+++ b/drivers/tty/serial/8250/8250_fintek.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0
/*
- * Probe for F81216A LPC to 4 UART
+ * Probe for F81216A LPC to 4 UART and F81214E LPC/eSPI to 2 UART
*
* Copyright (C) 2014-2016 Ricardo Ribalda, Qtechnology A/S
*/
@@ -23,6 +23,7 @@
#define CHIP_ID_F81216AD 0x1602
#define CHIP_ID_F81216E 0x1617
#define CHIP_ID_F81216H 0x0501
+#define CHIP_ID_F81214E 0x1417
#define CHIP_ID_F81216 0x0802
#define VENDOR_ID1 0x23
#define VENDOR_ID1_VAL 0x19
@@ -161,6 +162,7 @@ static int fintek_8250_check_id(struct fintek_8250 *pdata)
case CHIP_ID_F81216AD:
case CHIP_ID_F81216E:
case CHIP_ID_F81216H:
+ case CHIP_ID_F81214E:
case CHIP_ID_F81216:
break;
default:
@@ -185,6 +187,7 @@ static int fintek_8250_get_ldn_range(struct fintek_8250 *pdata, int *min,
case CHIP_ID_F81216AD:
case CHIP_ID_F81216E:
case CHIP_ID_F81216H:
+ case CHIP_ID_F81214E:
case CHIP_ID_F81216:
*min = F81216_LDN_LOW;
*max = F81216_LDN_HIGH;
@@ -255,6 +258,7 @@ static void fintek_8250_set_irq_mode(struct fintek_8250 *pdata, bool is_level)
case CHIP_ID_F81216AD:
case CHIP_ID_F81216E:
case CHIP_ID_F81216H:
+ case CHIP_ID_F81214E:
case CHIP_ID_F81216:
sio_write_mask_reg(pdata, FINTEK_IRQ_MODE, IRQ_SHARE,
IRQ_SHARE);
@@ -269,6 +273,7 @@ static void fintek_8250_set_max_fifo(struct fintek_8250 *pdata)
switch (pdata->pid) {
case CHIP_ID_F81216E: /* 128Bytes FIFO */
case CHIP_ID_F81216H:
+ case CHIP_ID_F81214E:
case CHIP_ID_F81966:
case CHIP_ID_F81866:
sio_write_mask_reg(pdata, FIFO_CTRL,
@@ -304,6 +309,7 @@ static void fintek_8250_set_termios(struct uart_port *port,
switch (pdata->pid) {
case CHIP_ID_F81216E:
case CHIP_ID_F81216H:
+ case CHIP_ID_F81214E:
reg = RS485;
break;
case CHIP_ID_F81966:
@@ -354,6 +360,7 @@ static void fintek_8250_set_termios_handler(struct uart_8250_port *uart)
switch (pdata->pid) {
case CHIP_ID_F81216E:
case CHIP_ID_F81216H:
+ case CHIP_ID_F81214E:
case CHIP_ID_F81966:
case CHIP_ID_F81866:
uart->port.set_termios = fintek_8250_set_termios;
@@ -446,6 +453,7 @@ static void fintek_8250_set_rs485_handler(struct uart_8250_port *uart)
break;
case CHIP_ID_F81216E: /* F81216E does not support RS485 delays */
+ case CHIP_ID_F81214E: /* F81214E does not support RS485 delays */
uart->port.rs485_config = fintek_8250_rs485_config;
uart->port.rs485_supported = fintek_8250_rs485_supported;
break;
diff --git a/drivers/tty/serial/8250/8250_pci.c b/drivers/tty/serial/8250/8250_pci.c
index 6cfd1b2af5b770..2fbd8f2603b5fc 100644
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -100,6 +100,8 @@
#define PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG 0x7025
#define PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG 0x7026
+#define PCI_VENDOR_ID_SYSTEMBASE 0x14a1
+
/* Unknown vendors/cards - this should not be in linux/pci_ids.h */
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
@@ -2133,6 +2135,35 @@ pci_moxa_setup(struct serial_private *priv,
return setup_port(priv, port, bar, offset, 0);
}
+#define SB_OPTR_IMR0 0x0c /* Interrupt mask register, p0 to p7 */
+static int pci_systembase_init(struct pci_dev *dev)
+{
+ resource_size_t iobase;
+
+ if (!IS_ENABLED(CONFIG_HAS_IOPORT))
+ return serial_8250_warn_need_ioport(dev);
+
+ iobase = pci_resource_start(dev, 1);
+
+ /* This will support up to 8 ports */
+ outb(0xff, iobase + SB_OPTR_IMR0);
+
+ return 0;
+}
+
+static void pci_systembase_exit(struct pci_dev *dev)
+{
+ resource_size_t iobase;
+
+ if (!IS_ENABLED(CONFIG_HAS_IOPORT)) {
+ serial_8250_warn_need_ioport(dev);
+ return;
+ }
+
+ iobase = pci_resource_start(dev, 0);
+ outb(0x00, iobase + SB_OPTR_IMR0);
+}
+
/*
* Master list of serial port init/setup/exit quirks.
* This does not describe the general nature of the port.
@@ -2481,6 +2512,16 @@ static struct pci_serial_quirk pci_serial_quirks[] = {
.init = pci_siig_init,
.setup = pci_siig_setup,
},
+ /* Systembase */
+ {
+ .vendor = PCI_VENDOR_ID_SYSTEMBASE,
+ .device = 0x0008,
+ .subvendor = PCI_ANY_ID,
+ .subdevice = PCI_ANY_ID,
+ .init = pci_systembase_init,
+ .setup = pci_default_setup,
+ .exit = pci_systembase_exit,
+ },
/*
* Titan cards
*/
@@ -3054,6 +3095,7 @@ enum pci_board_num_t {
pbn_b0_1_921600,
pbn_b0_2_921600,
pbn_b0_4_921600,
+ pbn_b0_8_921600,
pbn_b0_2_1130000,
@@ -3254,6 +3296,12 @@ static struct pciserial_board pci_boards[] = {
.base_baud = 921600,
.uart_offset = 8,
},
+ [pbn_b0_8_921600] = {
+ .flags = FL_BASE0,
+ .num_ports = 8,
+ .base_baud = 921600,
+ .uart_offset = 8,
+ },
[pbn_b0_2_1130000] = {
.flags = FL_BASE0,
@@ -6169,6 +6217,9 @@ static const struct pci_device_id serial_pci_tbl[] = {
PCI_ANY_ID, PCI_ANY_ID,
0, 0, pbn_b0_1_115200 },
+ /* Systembase Multi I/O cards */
+ { PCI_VDEVICE(SYSTEMBASE, 0x0008), pbn_b0_8_921600 },
+
/* Fintek PCI serial cards */
{ PCI_DEVICE(0x1c29, 0x1104), .driver_data = pbn_fintek_4 },
{ PCI_DEVICE(0x1c29, 0x1108), .driver_data = pbn_fintek_8 },
diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
index 328711b5df1a89..af78cc02f38e71 100644
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -2372,8 +2372,8 @@ void serial8250_do_shutdown(struct uart_port *port)
synchronize_irq(port->irq);
- if (up->dma)
- serial8250_release_dma(up);
+ serial8250_release_dma(up);
+ up->dma = NULL;
scoped_guard(uart_port_lock_irqsave, port) {
if (port->flags & UPF_FOURPORT) {
diff --git a/drivers/tty/serial/8250/Kconfig b/drivers/tty/serial/8250/Kconfig
index fd4e8b6ab60d3e..fc3e58d62233c9 100644
--- a/drivers/tty/serial/8250/Kconfig
+++ b/drivers/tty/serial/8250/Kconfig
@@ -465,11 +465,12 @@ config SERIAL_8250_OMAP_TTYO_FIXUP
config SERIAL_8250_LOONGSON
tristate "Loongson 8250 based serial port"
depends on SERIAL_8250
- depends on LOONGARCH || COMPILE_TEST
+ depends on LOONGARCH || MACH_LOONGSON64 || COMPILE_TEST
help
- If you have a machine based on LoongArch CPU you can enable
- its onboard serial ports by enabling this option. The option
- is applicable to both devicetree and ACPI, say Y to this option.
+ If you have a machine based on LoongArch CPU or MIPS-based Loongson
+ 3A4000 CPU you can enable its onboard serial ports by enabling this
+ option. The option is applicable to both devicetree and ACPI, say Y
+ to enable this option.
If unsure, say N.
config SERIAL_8250_LPC18XX
diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
index f86775cfdcc9eb..9aa61c93d7bc6d 100644
--- a/drivers/tty/serial/Kconfig
+++ b/drivers/tty/serial/Kconfig
@@ -255,14 +255,13 @@ config SERIAL_SAMSUNG_CONSOLE
config SERIAL_TEGRA
tristate "NVIDIA Tegra20/30 SoC serial controller"
- depends on (ARCH_TEGRA && TEGRA20_APB_DMA) || COMPILE_TEST
+ depends on ARCH_TEGRA || COMPILE_TEST
select SERIAL_CORE
help
Support for the on-chip UARTs on the NVIDIA Tegra series SOCs
providing /dev/ttyTHS0, 1, 2, 3 and 4 (note, some machines may not
provide all of these ports, depending on how the serial port
- are enabled). This driver uses the APB DMA to achieve higher baudrate
- and better performance.
+ are enabled).
config SERIAL_TEGRA_TCU
tristate "NVIDIA Tegra Combined UART"
@@ -803,7 +802,7 @@ config SERIAL_CPM_CONSOLE
config SERIAL_PIC32
tristate "Microchip PIC32 serial support"
- depends on MACH_PIC32 || (MIPS && COMPILE_TEST)
+ depends on MACH_PIC32 || COMPILE_TEST
select SERIAL_CORE
help
If you have a PIC32, this driver supports the serial ports.
@@ -1593,32 +1592,6 @@ config SERIAL_NUVOTON_MA35D1_CONSOLE
but you can alter that using a kernel command line option such as
"console=ttyNVTx".
-config SERIAL_ESP32
- tristate "Espressif ESP32 UART support"
- depends on XTENSA_PLATFORM_ESP32 || (COMPILE_TEST && OF)
- select SERIAL_CORE
- select SERIAL_CORE_CONSOLE
- select SERIAL_EARLYCON
- help
- Driver for the UART controllers of the Espressif ESP32xx SoCs.
- When earlycon option is enabled the following kernel command line
- snippets may be used:
- earlycon=esp32s3uart,mmio32,0x60000000,115200n8,40000000
- earlycon=esp32uart,mmio32,0x3ff40000,115200n8
-
-config SERIAL_ESP32_ACM
- tristate "Espressif ESP32 USB ACM gadget support"
- depends on XTENSA_PLATFORM_ESP32 || (COMPILE_TEST && OF)
- select SERIAL_CORE
- select SERIAL_CORE_CONSOLE
- select SERIAL_EARLYCON
- help
- Driver for the CDC ACM gadget controller of the Espressif ESP32S3
- SoCs that share separate USB controller with the JTAG adapter.
- When earlycon option is enabled the following kernel command line
- snippet may be used:
- earlycon=esp32s3acm,mmio32,0x60038000
-
endmenu
config SERIAL_MCTRL_GPIO
diff --git a/drivers/tty/serial/Makefile b/drivers/tty/serial/Makefile
index a2ccbc508ec57f..bba7b21a4a1d32 100644
--- a/drivers/tty/serial/Makefile
+++ b/drivers/tty/serial/Makefile
@@ -37,8 +37,6 @@ obj-$(CONFIG_SERIAL_CLPS711X) += clps711x.
... [truncated]