spi/fsl-espi: fix rx_buf in fsl_espi_cmd_trans()/fsl_espi_rw_trans()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

By default for every espi transfer, the rx_buf is placed right after the
tx_buf. This can lead to a buffer overflow when the size of both the TX
and RX data cumulated is higher than the allocated 64K buffer for the
transfer (this is the case when sending for instance a read command and
reading 64K back, please see:
http://article.gmane.org/gmane.linux.drivers.mtd/53411 )

This gets fixed by always setting the RX buffer pointer at the begining
of the transfer buffer.

[The driver shouldn't be doing the copy in the first place and instead
sending directly from the supplied buffer but this is at least not worse
than what's there -- broonie]

Signed-off-by: Valentin Longchamp <valentin.longchamp@keymile.com>
Signed-off-by: Mark Brown <broonie@linaro.org>

authored by

Valentin Longchamp and committed by

Mark Brown 12 years ago a2cb1be1 d0fb47a5

+2 -2

1 changed file

expand all

drivers

spi

spi-fsl-espi.c

+2 -2

drivers/spi/spi-fsl-espi.c

··· 348 348 } 349 349 350 350 espi_trans->tx_buf = local_buf; 351 - espi_trans->rx_buf = local_buf + espi_trans->n_tx; 351 + espi_trans->rx_buf = local_buf; 352 352 fsl_espi_do_trans(m, espi_trans); 353 353 354 354 espi_trans->actual_length = espi_trans->len; ··· 397 397 espi_trans->n_rx = trans_len; 398 398 espi_trans->len = trans_len + n_tx; 399 399 espi_trans->tx_buf = local_buf; 400 - espi_trans->rx_buf = local_buf + n_tx; 400 + espi_trans->rx_buf = local_buf; 401 401 fsl_espi_do_trans(m, espi_trans); 402 402 403 403 memcpy(rx_buf + pos, espi_trans->rx_buf + n_tx, trans_len);