tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
"Two bugfixes for the I2C core: Lixing Wang fixed a refcounting problem
with DT nodes. Jeremy Compostella fixed a buffer overflow possibility
when using a 'don't use' ioctl interface directly"
* 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA
i2c: core: decrease reference count of device node in i2c_unregister_device
+12
-7
+5
-1
drivers/i2c/i2c-core-base.c
+5
-1
drivers/i2c/i2c-core-base.c
···
821
821
{
822
822
if (!client)
823
823
return;
824
-
if (client->dev.of_node)
824
+
825
+
if (client->dev.of_node) {
825
826
of_node_clear_flag(client->dev.of_node, OF_POPULATED);
827
+
of_node_put(client->dev.of_node);
828
+
}
829
+
826
830
if (ACPI_COMPANION(&client->dev))
827
831
acpi_device_clear_enumerated(ACPI_COMPANION(&client->dev));
828
832
device_unregister(&client->dev);
+7
-6
drivers/i2c/i2c-core-smbus.c
+7
-6
drivers/i2c/i2c-core-smbus.c
···
397
397
the underlying bus driver */
398
398
break;
399
399
case I2C_SMBUS_I2C_BLOCK_DATA:
400
+
if (data->block[0] > I2C_SMBUS_BLOCK_MAX) {
401
+
dev_err(&adapter->dev, "Invalid block %s size %d\n",
402
+
read_write == I2C_SMBUS_READ ? "read" : "write",
403
+
data->block[0]);
404
+
return -EINVAL;
405
+
}
406
+
400
407
if (read_write == I2C_SMBUS_READ) {
401
408
msg[1].len = data->block[0];
402
409
} else {
403
410
msg[0].len = data->block[0] + 1;
404
-
if (msg[0].len > I2C_SMBUS_BLOCK_MAX + 1) {
405
-
dev_err(&adapter->dev,
406
-
"Invalid block write size %d\n",
407
-
data->block[0]);
408
-
return -EINVAL;
409
-
}
410
411
for (i = 1; i <= data->block[0]; i++)
411
412
msgbuf0[i] = data->block[i];
412
413
}