From patchwork Fri May 16 14:46:21 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Valentin Longchamp X-Patchwork-Id: 4193821 Return-Path: X-Original-To: patchwork-linux-spi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id BFE18BFF02 for ; Fri, 16 May 2014 14:46:29 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B7C77202EB for ; Fri, 16 May 2014 14:46:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5454A20295 for ; Fri, 16 May 2014 14:46:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756966AbaEPOq1 (ORCPT ); Fri, 16 May 2014 10:46:27 -0400 Received: from mail-de.keymile.com ([195.8.104.250]:40693 "EHLO mail-de.keymile.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756295AbaEPOq0 (ORCPT ); Fri, 16 May 2014 10:46:26 -0400 Received: from frodo.de.keymile.net ([10.9.1.54]:52571 helo=mailrelay.de.keymile.net) by mail-de.keymile.com with esmtp (Exim 4.76) (envelope-from ) id 1WlJOx-0004Sk-0F; Fri, 16 May 2014 16:46:23 +0200 Received: from ch900166.keymile.net (ch900166.keymile.net [172.31.40.218]) by mailrelay.de.keymile.net (8.12.2/8.12.2) with ESMTP id s4GEkLLf008716; Fri, 16 May 2014 16:46:22 +0200 (MEST) From: Valentin Longchamp To: Linux SPI , Mark Brown Cc: Mark Marshall , Valentin Longchamp Subject: [PATCH] spi/fsl-espi: fix rx_buf in fsl_espi_cmd_trans()/fsl_espi_rw_trans() Date: Fri, 16 May 2014 16:46:21 +0200 Message-Id: <1400251581-26617-1-git-send-email-valentin.longchamp@keymile.com> X-Mailer: git-send-email 1.8.0.1 Sender: linux-spi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP By default for every espi transfer, the rx_buf is placed right after the tx_buf. This can lead to a buffer overflow when the size of both the TX and RX data cumulated is higher than the allocated 64K buffer for the transfer (this is the case when sending for instance a read command and reading 64K back, please see: http://article.gmane.org/gmane.linux.drivers.mtd/53411 ) This gets fixed by always setting the RX buffer pointer at the begining of the transfer buffer. Signed-off-by: Valentin Longchamp --- drivers/spi/spi-fsl-espi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-fsl-espi.c b/drivers/spi/spi-fsl-espi.c index e767f58..f17d6bd 100644 --- a/drivers/spi/spi-fsl-espi.c +++ b/drivers/spi/spi-fsl-espi.c @@ -348,7 +348,7 @@ static void fsl_espi_cmd_trans(struct spi_message *m, } espi_trans->tx_buf = local_buf; - espi_trans->rx_buf = local_buf + espi_trans->n_tx; + espi_trans->rx_buf = local_buf; fsl_espi_do_trans(m, espi_trans); espi_trans->actual_length = espi_trans->len; @@ -397,7 +397,7 @@ static void fsl_espi_rw_trans(struct spi_message *m, espi_trans->n_rx = trans_len; espi_trans->len = trans_len + n_tx; espi_trans->tx_buf = local_buf; - espi_trans->rx_buf = local_buf + n_tx; + espi_trans->rx_buf = local_buf; fsl_espi_do_trans(m, espi_trans); memcpy(rx_buf + pos, espi_trans->rx_buf + n_tx, trans_len);