On Thursday, November 05, 2015 11:31:10 PM Jakub Kiciński wrote: > On Thu, 5 Nov 2015 09:40:10 +0100, Florian Achleitner wrote: > > [ ... ] > > I would argue that this must not be possible, and thus we need this check. > > If read the code correctly you cap the txlen at FIFO_SIZE and to_send > is min of txlen and number of bytes to send therefore to_send cannot be > larger than FIFO_SIZE. Yes, correct. The struct sc16is7xx_port contains a buffer (buf) of size SC16IS7XX_FIFO_SIZE, which is the same as the chips fifo size, for obvious reasons. But if the chip pretends to have more TX FIFO space free than it can ever have, or we have a bit flip on the bus, or whatever, to_send can be bigger than the buffer in struct sc16is7xx_port. If we don't limit to_send, the for loop a few lines below copies to_send bytes from the uart port buffer to the driver's buffer and will therefore overrun the struct sc16is7xx_port buffer, which destroys many things and crashes at least the kworker, because it happens to come after the buffer in memory. This is what actually happened on my desk. > Also there is not buffer overflow possible on the TX side, did you mean > to insert this check on the RX side, maybe? On the RX side, such a bounds check is already there. I'll send another version of the patch with some more explaination in the comment. Florian -- To unsubscribe from this list: send the line "unsubscribe linux-serial" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
