Hi Jeremy,

>        unsigned char msgbuf1[I2C_SMBUS_BLOCK_MAX+2];
> 
> It uses the first element to store the requested length.  Therefore,
> in practice, we hit the issue with "greater than I2C_SMBUS_BLOCK_MAX +
> 1".

Right, there is one extra byte reserved for PEC. So, the actual buffer
overflow will happen at I2C_SMBUS_BLOCK_MAX + 1 since
I2C_SMBUS_I2C_BLOCK_DATA does not have PEC.

> I have a added a little c ternary instruction to keep the same level
> of debug/error information.  If you don't like it we can remove it.

I like it. I just didn't include it in my proof of concept.

> I have updated, tested and attached the new version to this email.  I

Very good, thank you!

> also improved the commit message by adding some information about what
> is expected by the documentation. I don't know what is the process to
> update the patch to the mailing list.  Should I send a new email with
> the new patch instead ?

Technically, yes. Usually, resend it as [PATCH v2] with a small
changelog what changed since last version. Just dig the mail archive for
examples. However, since I really want this in v4.15, I picked this
patch from the attachment and have applied it to i2c/for-current and
attached the stable-tag.

Thank you very much!

   Wolfram