i2c: xgene: Avoid dma_buffer overrun
authorHoan Tran <hotran@apm.com>
Mon, 10 Oct 2016 17:13:10 +0000 (10:13 -0700)
committerWolfram Sang <wsa@the-dreams.de>
Tue, 25 Oct 2016 09:50:52 +0000 (11:50 +0200)
SMBus block command uses the first byte of buffer for the data length.
The dma_buffer should be increased by 1 to avoid the overrun issue.

Reported-by: Phil Endecott <phil_gjouf_endecott@chezphil.org>
Signed-off-by: Hoan Tran <hotran@apm.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
drivers/i2c/busses/i2c-xgene-slimpro.c

index 263685c7a5128773f12dfc00bd4ba75324aeee4c..05cf192ef1acae340397d9ff67f942bca6d08d3e 100644 (file)
@@ -105,7 +105,7 @@ struct slimpro_i2c_dev {
        struct mbox_chan *mbox_chan;
        struct mbox_client mbox_client;
        struct completion rd_complete;
-       u8 dma_buffer[I2C_SMBUS_BLOCK_MAX];
+       u8 dma_buffer[I2C_SMBUS_BLOCK_MAX + 1]; /* dma_buffer[0] is used for length */
        u32 *resp_msg;
 };