More correctly handle I²C exec ioctls with both a command and write data

phase. Previously the data phase of ioctl writes was sending uninitialized kernel stack to the addressed device.
2015-01-22 17:56:35 +00:00 · 2015-01-22 17:56:35 +00:00 · 1770391621
parent a8d0d44274
commit 1770391621
1 changed files with 10 additions and 3 deletions
--- a/sys/dev/i2c/i2c.c
+++ b/sys/dev/i2c/i2c.c
@ -1,4 +1,4 @@
-/*	$NetBSD: i2c.c,v 1.45 2014/12/07 00:32:35 jmcneill Exp $	*/
+/*	$NetBSD: i2c.c,v 1.46 2015/01/22 17:56:35 jakllsch Exp $	*/

 /*
 * Copyright (c) 2003 Wasabi Systems, Inc.
@ -40,7 +40,7 @@
 #endif

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: i2c.c,v 1.45 2014/12/07 00:32:35 jmcneill Exp $");
+__KERNEL_RCSID(0, "$NetBSD: i2c.c,v 1.46 2015/01/22 17:56:35 jakllsch Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -525,6 +525,13 @@ iic_ioctl_exec(struct iic_softc *sc, i2c_ioctl_exec_t *iie, int flag)
 		}
 	}

+	if (iie->iie_buf != NULL && I2C_OP_WRITE_P(iie->iie_op)) {
+		error = copyin(iie->iie_buf, buf, iie->iie_buflen);
+		if (error) {
+			return error;
+		}
+	}
+
 	iic_acquire_bus(ic, 0);
 	error = iic_exec(ic, iie->iie_op, iie->iie_addr, cmd, iie->iie_cmdlen,
 	    buf, iie->iie_buflen, 0);
@ -542,7 +549,7 @@ iic_ioctl_exec(struct iic_softc *sc, i2c_ioctl_exec_t *iie, int flag)
 	if (error)
 		return error;

-	if (iie->iie_buf)
+	if (iie->iie_buf != NULL && I2C_OP_READ_P(iie->iie_op))
 		error = copyout(buf, iie->iie_buf, iie->iie_buflen);

 	return error;