spi/fsl-espi: fix rx_buf in fsl_espi_cmd_trans()/fsl_espi_rw_trans()

By default for every espi transfer, the rx_buf is placed right after the tx_buf. This can lead to a buffer overflow when the size of both the TX and RX data cumulated is higher than the allocated 64K buffer for the transfer (this is the case when sending for instance a read command and reading 64K back, please see: http://article.gmane.org/gmane.linux.drivers.mtd/53411 ) This gets fixed by always setting the RX buffer pointer at the begining of the transfer buffer. [The driver shouldn't be doing the copy in the first place and instead sending directly from the supplied buffer but this is at least not worse than what's there -- broonie] Signed-off-by: Valentin Longchamp <valentin.longchamp@keymile.com> Signed-off-by: Mark Brown <broonie@linaro.org>
author: Valentin Longchamp <valentin.longchamp@keymile.com> 2014-05-16 10:46:21 -0400
committer: Mark Brown <broonie@linaro.org> 2014-05-26 11:56:45 -0400
commit: a2cb1be18254fd1479d87f7860af7a8413508e16 (patch)
tree: cf039f87924391bb1f5b3b665e428d5d9e06d64c
parent: d0fb47a5237d8b9576113568bacfd27892308b62 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/spi/spi-fsl-espi.c b/drivers/spi/spi-fsl-espi.c
index 24096c84e9c4..f0d7662e4d45 100644
--- a/drivers/spi/spi-fsl-espi.c
+++ b/drivers/spi/spi-fsl-espi.c
@@ -348,7 +348,7 @@ static void fsl_espi_cmd_trans(struct spi_message *m,
        }
        espi_trans->tx_buf = local_buf;
-        espi_trans->rx_buf = local_buf + espi_trans->n_tx;
+        espi_trans->rx_buf = local_buf;
        fsl_espi_do_trans(m, espi_trans);
        espi_trans->actual_length = espi_trans->len;
@@ -397,7 +397,7 @@ static void fsl_espi_rw_trans(struct spi_message *m,
                espi_trans->n_rx = trans_len;
                espi_trans->len = trans_len + n_tx;
                espi_trans->tx_buf = local_buf;
-                espi_trans->rx_buf = local_buf + n_tx;
+                espi_trans->rx_buf = local_buf;
                fsl_espi_do_trans(m, espi_trans);
                memcpy(rx_buf + pos, espi_trans->rx_buf + n_tx, trans_len);
author	Valentin Longchamp <valentin.longchamp@keymile.com>	2014-05-16 10:46:21 -0400
committer	Mark Brown <broonie@linaro.org>	2014-05-26 11:56:45 -0400
commit	a2cb1be18254fd1479d87f7860af7a8413508e16 (patch)
tree	cf039f87924391bb1f5b3b665e428d5d9e06d64c
parent	d0fb47a5237d8b9576113568bacfd27892308b62 (diff)

diff --git a/drivers/spi/spi-fsl-espi.c b/drivers/spi/spi-fsl-espi.c index 24096c84e9c4..f0d7662e4d45 100644 --- a/drivers/spi/spi-fsl-espi.c +++ b/drivers/spi/spi-fsl-espi.c
@@ -348,7 +348,7 @@ static void fsl_espi_cmd_trans(struct spi_message *m,
348	}	348	}
349		349
350	espi_trans->tx_buf = local_buf;	350	espi_trans->tx_buf = local_buf;
351	espi_trans->rx_buf = local_buf + espi_trans->n_tx;	351	espi_trans->rx_buf = local_buf;
352	fsl_espi_do_trans(m, espi_trans);	352	fsl_espi_do_trans(m, espi_trans);
353		353
354	espi_trans->actual_length = espi_trans->len;	354	espi_trans->actual_length = espi_trans->len;
@@ -397,7 +397,7 @@ static void fsl_espi_rw_trans(struct spi_message *m,
397	espi_trans->n_rx = trans_len;	397	espi_trans->n_rx = trans_len;
398	espi_trans->len = trans_len + n_tx;	398	espi_trans->len = trans_len + n_tx;
399	espi_trans->tx_buf = local_buf;	399	espi_trans->tx_buf = local_buf;
400	espi_trans->rx_buf = local_buf + n_tx;	400	espi_trans->rx_buf = local_buf;
401	fsl_espi_do_trans(m, espi_trans);	401	fsl_espi_do_trans(m, espi_trans);
402		402
403	memcpy(rx_buf + pos, espi_trans->rx_buf + n_tx, trans_len);	403	memcpy(rx_buf + pos, espi_trans->rx_buf + n_tx, trans_len);