If the chip wrongly reports a TX FIFO space, bigger than the driver's buffer, it runs over when copying from the uart_port's buffer to the driver's. The overrun then destroys the struct sc16is7xx_port, its struct kworker, and very likely a lot more. For us, this lead to the immediate crash of the driver's kworker thread. Prevent a buffer overrun by adding a length check, and thus, no longer allow a peripheral device to crash the kernel. Signed-off-by: Florian Achleitner <achleitner.florian@xxxxxxxxxxx> --- comment-only change: explain the problem better. drivers/tty/serial/sc16is7xx.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c index 02f37dc..9d2ea01 100644 --- a/drivers/tty/serial/sc16is7xx.c +++ b/drivers/tty/serial/sc16is7xx.c @@ -631,6 +631,13 @@ static void sc16is7xx_handle_tx(struct uart_port *port) /* Limit to size of TX FIFO */ txlen = sc16is7xx_port_read(port, SC16IS7XX_TXLVL_REG); to_send = (to_send > txlen) ? txlen : to_send; + /* + * Prevent buffer overrun if reported txlen is flawed + * Limit to the maximum size to the size of s->buf, which + * is the same as the chips fifo size. + */ + to_send = (to_send > SC16IS7XX_FIFO_SIZE) ? + SC16IS7XX_FIFO_SIZE : to_send; /* Add data to send */ port->icount.tx += to_send; -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-serial" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
