--- /dev/null
+From e4d8716c3dcec47f1557024add24e1f3c09eb24b Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 25 May 2021 17:03:36 +0200
+Subject: i2c: i801: Don't generate an interrupt on bus reset
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit e4d8716c3dcec47f1557024add24e1f3c09eb24b upstream.
+
+Now that the i2c-i801 driver supports interrupts, setting the KILL bit
+in a attempt to recover from a timed out transaction triggers an
+interrupt. Unfortunately, the interrupt handler (i801_isr) is not
+prepared for this situation and will try to process the interrupt as
+if it was signaling the end of a successful transaction. In the case
+of a block transaction, this can result in an out-of-range memory
+access.
+
+This condition was reproduced several times by syzbot:
+https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e
+https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e
+https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e
+https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb
+https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a
+https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79
+
+So disable interrupts while trying to reset the bus. Interrupts will
+be enabled again for the following transaction.
+
+Fixes: 636752bcb517 ("i2c-i801: Enable IRQ for SMBus transactions")
+Reported-by: syzbot+b4d3fd1dfd53e90afd79@syzkaller.appspotmail.com
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-i801.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -327,11 +327,9 @@ static int i801_check_post(struct i801_p
+ dev_err(&priv->pci_dev->dev, "Transaction timeout\n");
+ /* try to stop the current command */
+ dev_dbg(&priv->pci_dev->dev, "Terminating the current operation\n");
+- outb_p(inb_p(SMBHSTCNT(priv)) | SMBHSTCNT_KILL,
+- SMBHSTCNT(priv));
++ outb_p(SMBHSTCNT_KILL, SMBHSTCNT(priv));
+ usleep_range(1000, 2000);
+- outb_p(inb_p(SMBHSTCNT(priv)) & (~SMBHSTCNT_KILL),
+- SMBHSTCNT(priv));
++ outb_p(0, SMBHSTCNT(priv));
+
+ /* Check if it worked */
+ status = inb_p(SMBHSTSTS(priv));
--- /dev/null
+From 24990423267ec283b9d86f07f362b753eb9b0ed5 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Wed, 26 May 2021 08:39:37 -0400
+Subject: i2c: s3c2410: fix possible NULL pointer deref on read message after write
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 24990423267ec283b9d86f07f362b753eb9b0ed5 upstream.
+
+Interrupt handler processes multiple message write requests one after
+another, till the driver message queue is drained. However if driver
+encounters a read message without preceding START, it stops the I2C
+transfer as it is an invalid condition for the controller. At least the
+comment describes a requirement "the controller forces us to send a new
+START when we change direction". This stop results in clearing the
+message queue (i2c->msg = NULL).
+
+The code however immediately jumped back to label "retry_write" which
+dereferenced the "i2c->msg" making it a possible NULL pointer
+dereference.
+
+The Coverity analysis:
+1. Condition !is_msgend(i2c), taking false branch.
+ if (!is_msgend(i2c)) {
+
+2. Condition !is_lastmsg(i2c), taking true branch.
+ } else if (!is_lastmsg(i2c)) {
+
+3. Condition i2c->msg->flags & 1, taking true branch.
+ if (i2c->msg->flags & I2C_M_RD) {
+
+4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL.
+ s3c24xx_i2c_stop(i2c, -EINVAL);
+
+5. Jumping to label retry_write.
+ goto retry_write;
+
+6. var_deref_model: Passing i2c to is_msgend, which dereferences null i2c->msg.
+ if (!is_msgend(i2c)) {"
+
+All previous calls to s3c24xx_i2c_stop() in this interrupt service
+routine are followed by jumping to end of function (acknowledging
+the interrupt and returning). This seems a reasonable choice also here
+since message buffer was entirely emptied.
+
+Addresses-Coverity: Explicit null dereferenced
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-s3c2410.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-s3c2410.c
++++ b/drivers/i2c/busses/i2c-s3c2410.c
+@@ -499,8 +499,10 @@ static int i2c_s3c_irq_nextbyte(struct s
+ /* cannot do this, the controller
+ * forces us to send a new START
+ * when we change direction */
+-
++ dev_dbg(i2c->dev,
++ "missing START before write->read\n");
+ s3c24xx_i2c_stop(i2c, -EINVAL);
++ break;
+ }
+
+ goto retry_write;
net-mlx4-fix-eeprom-dump-support.patch
revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch
tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch
+i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
+i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
