serial: access after NULL check in uart_flush_buffer()

commit 55d7b68996a5064f011d681bca412b6281d2f711 upstream

I noticed that

  static void uart_flush_buffer(struct tty_struct *tty)
  {
  	struct uart_state *state = tty->driver_data;
  	struct uart_port *port = state->port;
  	unsigned long flags;

  	/*
  	 * This means you called this function _after_ the port was
  	 * closed.  No cookie for you.
  	 */
  	if (!state || !state->info) {
  		WARN_ON(1);
  		return;
  	}

is too late for checking state != NULL.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c
index 0f5a17987ccacaf84283a1754134adfd7f3c2f7a..3bf9294a2c35ed0f6a61b1559d7fea51c94d796e 100644 (file)
--- a/drivers/serial/serial_core.c
+++ b/drivers/serial/serial_core.c
@@ -535,7 +535,7 @@ static int uart_chars_in_buffer(struct tty_struct *tty)
 static void uart_flush_buffer(struct tty_struct *tty)
 {
        struct uart_state *state = tty->driver_data;
-       struct uart_port *port = state->port;
+       struct uart_port *port;
        unsigned long flags;
 
        /*
@@ -547,6 +547,7 @@ static void uart_flush_buffer(struct tty_struct *tty)
                return;
        }
 
+       port = state->port;
        pr_debug("uart_flush_buffer(%d) called\n", tty->index);
 
        spin_lock_irqsave(&port->lock, flags);