1. 28 May, 2021 2 commits
    • Krzysztof Kozlowski's avatar
      i2c: s3c2410: fix possible NULL pointer deref on read message after write · 24990423
      Krzysztof Kozlowski authored
      Interrupt handler processes multiple message write requests one after
      another, till the driver message queue is drained.  However if driver
      encounters a read message without preceding START, it stops the I2C
      transfer as it is an invalid condition for the controller.  At least the
      comment describes a requirement "the controller forces us to send a new
      START when we change direction".  This stop results in clearing the
      message queue (i2c->msg = NULL).
      
      The code however immediately jumped back to label "retry_write" which
      dereferenced the "i2c->msg" making it a possible NULL pointer
      dereference.
      
      The Coverity analysis:
      1. Condition !is_msgend(i2c), taking false branch.
         if (!is_msgend(i2c)) {
      
      2. Condition !is_lastmsg(i2c), taking true branch.
         } else if (!is_lastmsg(i2c)) {
      
      3. Condition i2c->msg->flags & 1, taking true branch.
         if (i2c->msg->flags & I2C_M_RD) {
      
      4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL.
         s3c24xx_i2c_stop(i2c, -EINVAL);
      
      5. Jumping to label retry_write.
         goto retry_write;
      
      6. var_deref_model: Passing i2c to is_msgend, which dereferences null i2c->msg.
         if (!is_msgend(i2c)) {"
      
      All previous calls to s3c24xx_i2c_stop() in this interrupt service
      routine are followed by jumping to end of function (acknowledging
      the interrupt and returning).  This seems a reasonable choice also here
      since message buffer was entirely emptied.
      
      Addresses-Coverity: Explicit null dereferenced
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      24990423
    • Qii Wang's avatar
      i2c: mediatek: Disable i2c start_en and clear intr_stat brfore reset · fed1bd51
      Qii Wang authored
      The i2c controller driver do dma reset after transfer timeout,
      but sometimes dma reset will trigger an unexpected DMA_ERR irq.
      It will cause the i2c controller to continuously send interrupts
      to the system and cause soft lock-up. So we need to disable i2c
      start_en and clear intr_stat to stop i2c controller before dma
      reset when transfer timeout.
      
      Fixes: aafced67
      
      ("i2c: mediatek: move dma reset before i2c reset")
      Signed-off-by: default avatarQii Wang <qii.wang@mediatek.com>
      Signed-off-by: default avatarWolfram Sang <wsa@kernel.org>
      fed1bd51
  2. 27 May, 2021 12 commits
  3. 25 May, 2021 4 commits
  4. 17 Apr, 2021 4 commits
  5. 16 Apr, 2021 3 commits
  6. 15 Apr, 2021 10 commits
  7. 14 Apr, 2021 5 commits