On Tue, 3 Nov 2015 15:19:41 +0100, Florian Achleitner wrote: > If the chip wrongly reports a TX FIFO space, bigger than the driver's > buffer, it runs over and destroys the struct sc16is7xx_port, its > struct kworker, and very likely a lot more. > For us, this lead to the immediate crash of the driver's kworker thread. > > Prevent a buffer overrun by adding a length check. > > Signed-off-by: Florian Achleitner <achleitner.florian@xxxxxxxxxxx> > --- > drivers/tty/serial/sc16is7xx.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c > index 02f37dc..107a099 100644 > --- a/drivers/tty/serial/sc16is7xx.c > +++ b/drivers/tty/serial/sc16is7xx.c > @@ -631,6 +631,8 @@ static void sc16is7xx_handle_tx(struct uart_port *port) > /* Limit to size of TX FIFO */ > txlen = sc16is7xx_port_read(port, SC16IS7XX_TXLVL_REG); > to_send = (to_send > txlen) ? txlen : to_send; > + /* prevent buffer overrun if reported txlen is flawed */ > + to_send = (to_send > SC16IS7XX_FIFO_SIZE) ? SC16IS7XX_FIFO_SIZE : to_send; > > /* Add data to send */ > port->icount.tx += to_send; Doesn't the second patch make this one unnecessary? -- To unsubscribe from this list: send the line "unsubscribe linux-serial" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
