Dear Experts,
Can someone please have a look at this declaration in i2c-xgene-slimpro.c:
struct slimpro_i2c_dev {
struct i2c_adapter adapter;
struct device *dev;
struct mbox_chan *mbox_chan;
struct mbox_client mbox_client;
struct completion rd_complete;
u8 dma_buffer[I2C_SMBUS_BLOCK_MAX];
u32 *resp_msg;
};
It seems to me that the size of dma_buffer should be I2C_SMBUS_BLOCK_MAX+2,
to match this in uapi/linux/i2c.h:
union i2c_smbus_data {
__u8 byte;
__u16 word;
__u8 block[I2C_SMBUS_BLOCK_MAX + 2]; /* block[0] is used for length */
/* and one more for user-space compatibility */
};
My debugging shows that 33 is often passed as readlen to dma_map_single()
in slimpro_i2c_blkrd(). So either the buffer needs to be larger, or the
caller is misbehaving. Certainly increasing the size of dma_buffer by 2
fixes crashes that I have been seeing.
This is the first time I've ever looked at anything in the i2c system so
I may have completely misunderstood everything....
(If I'm right, is anyone aware of any static analysis method that should have
been able to detect this?)
Thanks, Phil.
--
To unsubscribe from this list: send the line "unsubscribe linux-i2c" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
