From: nico.vince@gmail.com
To: jochen@scram.de
Cc: linuxppc-dev@lists.ozlabs.org, linux-i2c@vger.kernel.org,
Nicolas VINCENT <nicolas.vincent@vossloh.com>
Subject: [PATCH] i2c: cpm: Fix i2c_ram structure
Date: Tue, 22 Sep 2020 11:04:00 +0200 [thread overview]
Message-ID: <20200922090400.6282-1-nicolas.vincent@vossloh.com> (raw)
From: Nicolas VINCENT <nicolas.vincent@vossloh.com>
the i2c_ram structure is missing the sdmatmp field mentionned in
datasheet for MPC8272 at paragraph 36.5. With this field missing, the
hardware would write past the allocated memory done through
cpm_muram_alloc for the i2c_ram structure and land in memory allocated
for the buffers descriptors corrupting the cbd_bufaddr field. Since this
field is only set during setup(), the first i2c transaction would work
and the following would send data read from an arbitrary memory
location.
Signed-off-by: Nicolas VINCENT <nicolas.vincent@vossloh.com>
---
drivers/i2c/busses/i2c-cpm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-cpm.c b/drivers/i2c/busses/i2c-cpm.c
index 1213e1932ccb..c5700addbf65 100644
--- a/drivers/i2c/busses/i2c-cpm.c
+++ b/drivers/i2c/busses/i2c-cpm.c
@@ -64,7 +64,8 @@ struct i2c_ram {
uint txtmp; /* Internal */
char res1[4]; /* Reserved */
ushort rpbase; /* Relocation pointer */
- char res2[2]; /* Reserved */
+ char res2[6]; /* Reserved */
+ uint sdmatmp; /* Internal */
};
#define I2COM_START 0x80
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: nico.vince@gmail.com
To: jochen@scram.de
Cc: Nicolas VINCENT <nicolas.vincent@vossloh.com>,
linuxppc-dev@lists.ozlabs.org, linux-i2c@vger.kernel.org
Subject: [PATCH] i2c: cpm: Fix i2c_ram structure
Date: Tue, 22 Sep 2020 11:04:00 +0200 [thread overview]
Message-ID: <20200922090400.6282-1-nicolas.vincent@vossloh.com> (raw)
From: Nicolas VINCENT <nicolas.vincent@vossloh.com>
the i2c_ram structure is missing the sdmatmp field mentionned in
datasheet for MPC8272 at paragraph 36.5. With this field missing, the
hardware would write past the allocated memory done through
cpm_muram_alloc for the i2c_ram structure and land in memory allocated
for the buffers descriptors corrupting the cbd_bufaddr field. Since this
field is only set during setup(), the first i2c transaction would work
and the following would send data read from an arbitrary memory
location.
Signed-off-by: Nicolas VINCENT <nicolas.vincent@vossloh.com>
---
drivers/i2c/busses/i2c-cpm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-cpm.c b/drivers/i2c/busses/i2c-cpm.c
index 1213e1932ccb..c5700addbf65 100644
--- a/drivers/i2c/busses/i2c-cpm.c
+++ b/drivers/i2c/busses/i2c-cpm.c
@@ -64,7 +64,8 @@ struct i2c_ram {
uint txtmp; /* Internal */
char res1[4]; /* Reserved */
ushort rpbase; /* Relocation pointer */
- char res2[2]; /* Reserved */
+ char res2[6]; /* Reserved */
+ uint sdmatmp; /* Internal */
};
#define I2COM_START 0x80
--
2.17.1
next reply other threads:[~2020-09-22 9:04 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-22 9:04 nico.vince [this message]
2020-09-22 9:04 ` [PATCH] i2c: cpm: Fix i2c_ram structure nico.vince
2020-09-22 11:50 ` Joakim Tjernlund
2020-09-22 12:38 ` Christophe Leroy
2020-09-23 7:18 ` Vincent Nicolas
2020-09-23 8:01 ` Christophe Leroy
2020-09-23 12:55 ` Vincent Nicolas
2020-09-23 13:04 ` Christophe Leroy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200922090400.6282-1-nicolas.vincent@vossloh.com \
--to=nico.vince@gmail.com \
--cc=jochen@scram.de \
--cc=linux-i2c@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nicolas.vincent@vossloh.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.