If the chip wrongly reports a TX FIFO space, bigger than the driver's buffer, it runs over and destroys the struct sc16is7xx_port, its struct kworker, and very likely a lot more. For us, this lead to the immediate crash of the driver's kworker thread. Prevent a buffer overrun by adding a length check. Signed-off-by: Florian Achleitner <achleitner.florian@xxxxxxxxxxx> --- Hi, These two patches obsolete the previous single patch. I think we surely want this one, a buffer overrun must not occur. Regards, Florian drivers/tty/serial/sc16is7xx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 02f37dc..df45eb2 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -631,6 +631,8 @@ static void sc16is7xx_handle_tx(struct uart_port *port) /* Limit to size of TX FIFO */ txlen = sc16is7xx_port_read(port, SC16IS7XX_TXLVL_REG); to_send = (to_send > txlen) ? txlen : to_send; + /* prevent buffer overrun if reported txlen is flawed */ + to_send = (to_send > sizeof(s->buf)) ? sizeof(s->buf) : to_send; /* Add data to send */ port->icount.tx += to_send; -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-serial" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
