From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 30 May 2021 14:45:58 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.271~62
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ddf30fe09eb28fac39d00e591fd09833fea9fd47;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
	i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
---

diff --git a/queue-4.4/i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch b/queue-4.4/i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
new file mode 100644
index 00000000000..e6c30bbedb9
--- /dev/null
+++ b/queue-4.4/i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
@@ -0,0 +1,56 @@
+From e4d8716c3dcec47f1557024add24e1f3c09eb24b Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 25 May 2021 17:03:36 +0200
+Subject: i2c: i801: Don't generate an interrupt on bus reset
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit e4d8716c3dcec47f1557024add24e1f3c09eb24b upstream.
+
+Now that the i2c-i801 driver supports interrupts, setting the KILL bit
+in a attempt to recover from a timed out transaction triggers an
+interrupt. Unfortunately, the interrupt handler (i801_isr) is not
+prepared for this situation and will try to process the interrupt as
+if it was signaling the end of a successful transaction. In the case
+of a block transaction, this can result in an out-of-range memory
+access.
+
+This condition was reproduced several times by syzbot:
+https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e
+https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e
+https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e
+https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb
+https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a
+https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79
+
+So disable interrupts while trying to reset the bus. Interrupts will
+be enabled again for the following transaction.
+
+Fixes: 636752bcb517 ("i2c-i801: Enable IRQ for SMBus transactions")
+Reported-by: syzbot+b4d3fd1dfd53e90afd79@syzkaller.appspotmail.com
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-i801.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -327,11 +327,9 @@ static int i801_check_post(struct i801_p
+ 		dev_err(&priv->pci_dev->dev, "Transaction timeout\n");
+ 		/* try to stop the current command */
+ 		dev_dbg(&priv->pci_dev->dev, "Terminating the current operation\n");
+-		outb_p(inb_p(SMBHSTCNT(priv)) | SMBHSTCNT_KILL,
+-		       SMBHSTCNT(priv));
++		outb_p(SMBHSTCNT_KILL, SMBHSTCNT(priv));
+ 		usleep_range(1000, 2000);
+-		outb_p(inb_p(SMBHSTCNT(priv)) & (~SMBHSTCNT_KILL),
+-		       SMBHSTCNT(priv));
++		outb_p(0, SMBHSTCNT(priv));
+ 
+ 		/* Check if it worked */
+ 		status = inb_p(SMBHSTSTS(priv));
diff --git a/queue-4.4/i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch b/queue-4.4/i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
new file mode 100644
index 00000000000..c50d51208f2
--- /dev/null
+++ b/queue-4.4/i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
@@ -0,0 +1,68 @@
+From 24990423267ec283b9d86f07f362b753eb9b0ed5 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Wed, 26 May 2021 08:39:37 -0400
+Subject: i2c: s3c2410: fix possible NULL pointer deref on read message after write
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 24990423267ec283b9d86f07f362b753eb9b0ed5 upstream.
+
+Interrupt handler processes multiple message write requests one after
+another, till the driver message queue is drained.  However if driver
+encounters a read message without preceding START, it stops the I2C
+transfer as it is an invalid condition for the controller.  At least the
+comment describes a requirement "the controller forces us to send a new
+START when we change direction".  This stop results in clearing the
+message queue (i2c->msg = NULL).
+
+The code however immediately jumped back to label "retry_write" which
+dereferenced the "i2c->msg" making it a possible NULL pointer
+dereference.
+
+The Coverity analysis:
+1. Condition !is_msgend(i2c), taking false branch.
+   if (!is_msgend(i2c)) {
+
+2. Condition !is_lastmsg(i2c), taking true branch.
+   } else if (!is_lastmsg(i2c)) {
+
+3. Condition i2c->msg->flags & 1, taking true branch.
+   if (i2c->msg->flags & I2C_M_RD) {
+
+4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL.
+   s3c24xx_i2c_stop(i2c, -EINVAL);
+
+5. Jumping to label retry_write.
+   goto retry_write;
+
+6. var_deref_model: Passing i2c to is_msgend, which dereferences null i2c->msg.
+   if (!is_msgend(i2c)) {"
+
+All previous calls to s3c24xx_i2c_stop() in this interrupt service
+routine are followed by jumping to end of function (acknowledging
+the interrupt and returning).  This seems a reasonable choice also here
+since message buffer was entirely emptied.
+
+Addresses-Coverity: Explicit null dereferenced
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-s3c2410.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-s3c2410.c
++++ b/drivers/i2c/busses/i2c-s3c2410.c
+@@ -499,8 +499,10 @@ static int i2c_s3c_irq_nextbyte(struct s
+ 					/* cannot do this, the controller
+ 					 * forces us to send a new START
+ 					 * when we change direction */
+-
++					dev_dbg(i2c->dev,
++						"missing START before write->read\n");
+ 					s3c24xx_i2c_stop(i2c, -EINVAL);
++					break;
+ 				}
+ 
+ 				goto retry_write;
diff --git a/queue-4.4/series b/queue-4.4/series
index b9edf08587c..9891a49c255 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -26,3 +26,5 @@ nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch
 net-mlx4-fix-eeprom-dump-support.patch
 revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch
 tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch
+i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
+i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch