From 940d2b89bf36c17dfc9972111b68391c35b4e9f2 Mon Sep 17 00:00:00 2001
From: Gong Qianyu <Qianyu.Gong@freescale.com>
Date: Tue, 26 Jan 2016 15:06:41 +0800
Subject: spi: fsl_qspi: Fix qspi_op_rdsr memcpy issue

In current driver, we always copy 4 bytes to the dest memory.
Actually the dest memory may be shorter than 4 bytes.
Add an argument to indicate the dest memory length.
Avoid writing memory outside of the bounds.

Signed-off-by: Gong Qianyu <Qianyu.Gong@freescale.com>
Reviewed-by: York Sun <york.sun@nxp.com>

diff --git a/drivers/spi/fsl_qspi.c b/drivers/spi/fsl_qspi.c
index 3553e00..cb8d929 100644
--- a/drivers/spi/fsl_qspi.c
+++ b/drivers/spi/fsl_qspi.c
@@ -639,7 +639,7 @@ static void qspi_op_write(struct fsl_qspi_priv *priv, u8 *txbuf, u32 len)
 	qspi_write32(priv->flags, &regs->mcr, mcr_reg);
 }
 
-static void qspi_op_rdsr(struct fsl_qspi_priv *priv, u32 *rxbuf)
+static void qspi_op_rdsr(struct fsl_qspi_priv *priv, void *rxbuf, u32 len)
 {
 	struct fsl_qspi_regs *regs = priv->regs;
 	u32 mcr_reg, reg, data;
@@ -662,7 +662,7 @@ static void qspi_op_rdsr(struct fsl_qspi_priv *priv, u32 *rxbuf)
 		if (reg & QSPI_RBSR_RDBFL_MASK) {
 			data = qspi_read32(priv->flags, &regs->rbdr[0]);
 			data = qspi_endian_xchg(data);
-			memcpy(rxbuf, &data, 4);
+			memcpy(rxbuf, &data, len);
 			qspi_write32(priv->flags, &regs->mcr,
 				     qspi_read32(priv->flags, &regs->mcr) |
 				     QSPI_MCR_CLR_RXF_MASK);
@@ -751,7 +751,7 @@ int qspi_xfer(struct fsl_qspi_priv *priv, unsigned int bitlen,
 		} else if (priv->cur_seqid == QSPI_CMD_RDID)
 			qspi_op_rdid(priv, din, bytes);
 		else if (priv->cur_seqid == QSPI_CMD_RDSR)
-			qspi_op_rdsr(priv, din);
+			qspi_op_rdsr(priv, din, bytes);
 #ifdef CONFIG_SPI_FLASH_BAR
 		else if ((priv->cur_seqid == QSPI_CMD_BRRD) ||
 			 (priv->cur_seqid == QSPI_CMD_RDEAR)) {
-- 
cgit v0.10.2