spi/fsl-espi: fix rx_buf in fsl_espi_cmd_trans()/fsl_espi_rw_trans()

By default for every espi transfer, the rx_buf is placed right after the tx_buf. This can lead to a buffer overflow when the size of both the TX and RX data cumulated is higher than the allocated 64K buffer for the transfer (this is the case when sending for instance a read command and reading 64K back, please see: http://article.gmane.org/gmane.linux.drivers.mtd/53411 ) This gets fixed by always setting the RX buffer pointer at the begining of the transfer buffer. [The driver shouldn't be doing the copy in the first place and instead sending directly from the supplied buffer but this is at least not worse than what's there -- broonie] Signed-off-by: Valentin Longchamp <valentin.longchamp@keymile.com> Signed-off-by: Mark Brown <broonie@linaro.org>
git-mirror · May 26, 2014 · a2cb1be · a2cb1be
1 parent d0fb47a
commit a2cb1be
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/drivers/spi/spi-fsl-espi.c b/drivers/spi/spi-fsl-espi.c
@@ -348,7 +348,7 @@ static void fsl_espi_cmd_trans(struct spi_message *m,
 	}
 
 	espi_trans->tx_buf = local_buf;
-	espi_trans->rx_buf = local_buf + espi_trans->n_tx;
+	espi_trans->rx_buf = local_buf;
 	fsl_espi_do_trans(m, espi_trans);
 
 	espi_trans->actual_length = espi_trans->len;
@@ -397,7 +397,7 @@ static void fsl_espi_rw_trans(struct spi_message *m,
 		espi_trans->n_rx = trans_len;
 		espi_trans->len = trans_len + n_tx;
 		espi_trans->tx_buf = local_buf;
-		espi_trans->rx_buf = local_buf + n_tx;
+		espi_trans->rx_buf = local_buf;
 		fsl_espi_do_trans(m, espi_trans);
 
 		memcpy(rx_buf + pos, espi_trans->rx_buf + n_tx, trans_len);