[PATCH 4.4 01/69] i2c: xgene: Avoid dma_buffer overrun
From: Greg Kroah-Hartman
Date: Wed Nov 09 2016 - 05:44:55 EST
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hoan Tran <hotran@xxxxxxx>
commit 603616017c35f4d0fbdbcace72adf9bf949c4a65 upstream.
SMBus block command uses the first byte of buffer for the data length.
The dma_buffer should be increased by 1 to avoid the overrun issue.
Reported-by: Phil Endecott <phil_gjouf_endecott@xxxxxxxxxxxx>
Signed-off-by: Hoan Tran <hotran@xxxxxxx>
Signed-off-by: Wolfram Sang <wsa@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/i2c/busses/i2c-xgene-slimpro.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
@@ -105,7 +105,7 @@ struct slimpro_i2c_dev {
struct mbox_chan *mbox_chan;
struct mbox_client mbox_client;
struct completion rd_complete;
- u8 dma_buffer[I2C_SMBUS_BLOCK_MAX];
+ u8 dma_buffer[I2C_SMBUS_BLOCK_MAX + 1]; /* dma_buffer[0] is used for length */
u32 *resp_msg;
};