From 1ccf3affe3026087224122dee6db4ea3a917a07c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Sep 2017 11:43:31 +0200
Subject: [PATCH] 3.18-stable patches

added patches:
	i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
	i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
---
 ...e-the-receive-length-for-block-reads.patch | 54 +++++++++++++++++++
 ...ze-for-block-reads-with-bogus-length.patch | 40 ++++++++++++++
 queue-3.18/series                             |  2 +
 3 files changed, 96 insertions(+)
 create mode 100644 queue-3.18/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
 create mode 100644 queue-3.18/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch

diff --git a/queue-3.18/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch b/queue-3.18/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
new file mode 100644
index 00000000000..b71df147c09
--- /dev/null
+++ b/queue-3.18/i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
@@ -0,0 +1,54 @@
+From b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:10:59 -0400
+Subject: i2c: ismt: Don't duplicate the receive length for block reads
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit b6c159a9cb69c2cf0bf59d4e12c3a2da77e4d994 upstream.
+
+According to Table 15-14 of the C2000 EDS (Intel doc #510524) the
+rx data pointed to by the descriptor dptr contains the byte count.
+
+desc->rxbytes reports all bytes read on the wire, including the
+"byte count" byte.  So if a device sends 4 bytes in response to a
+block read, on the wire and in the DMA buffer we see:
+
+count data1 data2 data3 data4
+ 0x04  0xde  0xad  0xbe  0xef
+
+That's what we want to return in data->block to the next level.
+
+Instead we were actually prefixing that with desc->rxbytes:
+
+bad
+count count data1 data2 data3 data4
+ 0x05  0x04  0xde  0xad  0xbe  0xef
+
+This was discovered while developing a BMC solution relying on the
+ipmi_ssif.c driver which was trying to interpret the bogus length
+field as part of the IPMI response.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -340,8 +340,8 @@ static int ismt_process_desc(const struc
+ 			break;
+ 		case I2C_SMBUS_BLOCK_DATA:
+ 		case I2C_SMBUS_I2C_BLOCK_DATA:
+-			memcpy(&data->block[1], dma_buffer, desc->rxbytes);
+-			data->block[0] = desc->rxbytes;
++			memcpy(data->block, dma_buffer, desc->rxbytes);
++			data->block[0] = desc->rxbytes - 1;
+ 			break;
+ 		}
+ 		return 0;
diff --git a/queue-3.18/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch b/queue-3.18/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
new file mode 100644
index 00000000000..f5a84537cd1
--- /dev/null
+++ b/queue-3.18/i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
@@ -0,0 +1,40 @@
+From ba201c4f5ebe13d7819081756378777d8153f23e Mon Sep 17 00:00:00 2001
+From: Stephen Douthit <stephend@adiengineering.com>
+Date: Mon, 7 Aug 2017 17:11:00 -0400
+Subject: i2c: ismt: Return EMSGSIZE for block reads with bogus length
+
+From: Stephen Douthit <stephend@adiengineering.com>
+
+commit ba201c4f5ebe13d7819081756378777d8153f23e upstream.
+
+Compare the number of bytes actually seen on the wire to the byte
+count field returned by the slave device.
+
+Previously we just overwrote the byte count returned by the slave
+with the real byte count and let the caller figure out if the
+message was sane.
+
+Signed-off-by: Stephen Douthit <stephend@adiengineering.com>
+Tested-by: Dan Priamo <danp@adiengineering.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -340,8 +340,10 @@ static int ismt_process_desc(const struc
+ 			break;
+ 		case I2C_SMBUS_BLOCK_DATA:
+ 		case I2C_SMBUS_I2C_BLOCK_DATA:
++			if (desc->rxbytes != dma_buffer[0] + 1)
++				return -EMSGSIZE;
++
+ 			memcpy(data->block, dma_buffer, desc->rxbytes);
+-			data->block[0] = desc->rxbytes - 1;
+ 			break;
+ 		}
+ 		return 0;
diff --git a/queue-3.18/series b/queue-3.18/series
index e69de29bb2d..ab352444844 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -0,0 +1,2 @@
+i2c-ismt-don-t-duplicate-the-receive-length-for-block-reads.patch
+i2c-ismt-return-emsgsize-for-block-reads-with-bogus-length.patch
-- 
2.47.3