If the chip wrongly reports a TX FIFO space, bigger than the driver's buffer, it runs over and destroys the struct sc16is7xx_port, its struct kworker, and very likely a lot more. For us, this lead to the immediate crash of the driver's kworker thread. Prevent a buffer overrun by adding a length check. Signed-off-by: Florian Achleitner <achleitner.florian@xxxxxxxxxxx> --- drivers/tty/serial/sc16is7xx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 02f37dc..107a099 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -631,6 +631,8 @@ static void sc16is7xx_handle_tx(struct uart_port *port) /* Limit to size of TX FIFO */ txlen = sc16is7xx_port_read(port, SC16IS7XX_TXLVL_REG); to_send = (to_send > txlen) ? txlen : to_send; + /* prevent buffer overrun if reported txlen is flawed */ + to_send = (to_send > SC16IS7XX_FIFO_SIZE) ? SC16IS7XX_FIFO_SIZE : to_send; /* Add data to send */ port->icount.tx += to_send; -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-serial" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
