Merge tag 'usb-serial-5.8-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git...

Johan writes:

USB-serial fixes for 5.8-rc6

Here's a fix for 5.8 addressing a long-standing bug in iuu_phoenix.

* tag 'usb-serial-5.8-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial:
  USB: serial: iuu_phoenix: fix memory corruption

diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index d5bff69..b8dfeb4 100644 (file)
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -697,14 +697,16 @@ static int iuu_uart_write(struct tty_struct *tty, struct usb_serial_port *port,
        struct iuu_private *priv = usb_get_serial_port_data(port);
        unsigned long flags;
 
-       if (count > 256)
-               return -ENOMEM;
-
        spin_lock_irqsave(&priv->lock, flags);
 
+       count = min(count, 256 - priv->writelen);
+       if (count == 0)
+               goto out;
+
        /* fill the buffer */
        memcpy(priv->writebuf + priv->writelen, buf, count);
        priv->writelen += count;
+out:
        spin_unlock_irqrestore(&priv->lock, flags);
 
        return count;