From: Gong Qianyu Date: Tue, 26 Jan 2016 07:06:41 +0000 (+0800) Subject: spi: fsl_qspi: Fix qspi_op_rdsr memcpy issue X-Git-Tag: v2016.03-rc1~45^2~4 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=940d2b89bf36c17dfc9972111b68391c35b4e9f2;p=u-boot spi: fsl_qspi: Fix qspi_op_rdsr memcpy issue In current driver, we always copy 4 bytes to the dest memory. Actually the dest memory may be shorter than 4 bytes. Add an argument to indicate the dest memory length. Avoid writing memory outside of the bounds. Signed-off-by: Gong Qianyu Reviewed-by: York Sun --- diff --git a/drivers/spi/fsl_qspi.c b/drivers/spi/fsl_qspi.c index 3553e0038f..cb8d929d07 100644 --- a/drivers/spi/fsl_qspi.c +++ b/drivers/spi/fsl_qspi.c @@ -639,7 +639,7 @@ static void qspi_op_write(struct fsl_qspi_priv *priv, u8 *txbuf, u32 len) qspi_write32(priv->flags, ®s->mcr, mcr_reg); } -static void qspi_op_rdsr(struct fsl_qspi_priv *priv, u32 *rxbuf) +static void qspi_op_rdsr(struct fsl_qspi_priv *priv, void *rxbuf, u32 len) { struct fsl_qspi_regs *regs = priv->regs; u32 mcr_reg, reg, data; @@ -662,7 +662,7 @@ static void qspi_op_rdsr(struct fsl_qspi_priv *priv, u32 *rxbuf) if (reg & QSPI_RBSR_RDBFL_MASK) { data = qspi_read32(priv->flags, ®s->rbdr[0]); data = qspi_endian_xchg(data); - memcpy(rxbuf, &data, 4); + memcpy(rxbuf, &data, len); qspi_write32(priv->flags, ®s->mcr, qspi_read32(priv->flags, ®s->mcr) | QSPI_MCR_CLR_RXF_MASK); @@ -751,7 +751,7 @@ int qspi_xfer(struct fsl_qspi_priv *priv, unsigned int bitlen, } else if (priv->cur_seqid == QSPI_CMD_RDID) qspi_op_rdid(priv, din, bytes); else if (priv->cur_seqid == QSPI_CMD_RDSR) - qspi_op_rdsr(priv, din); + qspi_op_rdsr(priv, din, bytes); #ifdef CONFIG_SPI_FLASH_BAR else if ((priv->cur_seqid == QSPI_CMD_BRRD) || (priv->cur_seqid == QSPI_CMD_RDEAR)) {