i2c: ismt: use correct length when copy buffer

commit 979bbf7b7ae75cfc06e09d09eda38009a3bdc4a4 upstream.

In block write mode, when encapsulating dma_buffer, first element is
'command', the rest is data buffer, so only copy actual data buffer
starting from block[1] with the size indicating by block[0].

Signed-off-by: Fan Du <fan.du@intel.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 8ce4f51..6e932d1 100644 (file)
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -497,7 +497,7 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
                        desc->wr_len_cmd = dma_size;
                        desc->control |= ISMT_DESC_BLK;
                        priv->dma_buffer[0] = command;
-                       memcpy(&priv->dma_buffer[1], &data->block[1], dma_size);
+                       memcpy(&priv->dma_buffer[1], &data->block[1], dma_size - 1);
                } else {
                        /* Block Read */
                        dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA:  READ\n");
@@ -525,7 +525,7 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
                        desc->wr_len_cmd = dma_size;
                        desc->control |= ISMT_DESC_I2C;
                        priv->dma_buffer[0] = command;
-                       memcpy(&priv->dma_buffer[1], &data->block[1], dma_size);
+                       memcpy(&priv->dma_buffer[1], &data->block[1], dma_size - 1);
                } else {
                        /* i2c Block Read */
                        dev_dbg(dev, "I2C_SMBUS_I2C_BLOCK_DATA:  READ\n");