Hello Jan,
On Wed, Aug 28, 2019 at 07:56:26PM +0200, Jan Kundrát wrote:
> A recent change split the insertion loop into two parts. The first part
> accessed bytes 0, 1, ... (rxlen - 2), and the second part by mistake
> took offset `rxlen` instead of the correct `rxlen - 1`. So one byte was
> not stored, and the final access wrote past the end of the rx_buf.
>
> Fixes: 9c12d739d69b (tty: max310x: Split uart characters insertion loop)
> Signed-off-by: Jan Kundrát <jan.kundrat@xxxxxxxxx>
Good catch, thank you!
Reviewed-by: Serge Semin <fancer.lancer@xxxxxxxxx>
-Sergey
> ---
> drivers/tty/serial/max310x.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c
> index e6c48a99bd85..0e0c2740ec7e 100644
> --- a/drivers/tty/serial/max310x.c
> +++ b/drivers/tty/serial/max310x.c
> @@ -689,7 +689,7 @@ static void max310x_handle_rx(struct uart_port *port, unsigned int rxlen)
> * tail.
> */
> uart_insert_char(port, sts, MAX310X_LSR_RXOVR_BIT,
> - one->rx_buf[rxlen], flag);
> + one->rx_buf[rxlen-1], flag);
>
> } else {
> if (unlikely(rxlen >= port->fifosize)) {
> --
> 2.21.0
>
>
