| Message ID | 205f1930-f26c-9533-ef09-e37377d9ef10@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] i2c: i801: fix potential race in i801_block_transaction_byte_by_byte | expand |
On Sat, 09 Sep 2023 22:25:06 +0200, Heiner Kallweit wrote: > Currently we set SMBHSTCNT_LAST_BYTE only after the host has started > receiving the last byte. If we get e.g. preempted before setting > SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte > before SMBHSTCNT_LAST_BYTE is set. > Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing > SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code > is also consistent with what we do in i801_isr_byte_done(). > > Reported-by: Jean Delvare <jdelvare@suse.com> > Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/ > Cc: stable@vger.kernel.org > Acked-by: Andi Shyti <andi.shyti@kernel.org> > Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Reviewed-by: Jean Delvare <jdelvare@suse.de>
On Sat, Sep 09, 2023 at 10:25:06PM +0200, Heiner Kallweit wrote: > Currently we set SMBHSTCNT_LAST_BYTE only after the host has started > receiving the last byte. If we get e.g. preempted before setting > SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte > before SMBHSTCNT_LAST_BYTE is set. > Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing > SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code > is also consistent with what we do in i801_isr_byte_done(). > > Reported-by: Jean Delvare <jdelvare@suse.com> > Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/ > Cc: stable@vger.kernel.org > Acked-by: Andi Shyti <andi.shyti@kernel.org> > Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Applied to for-next, thanks!
diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c index 7a0ccc584..8acf09539 100644 --- a/drivers/i2c/busses/i2c-i801.c +++ b/drivers/i2c/busses/i2c-i801.c @@ -679,15 +679,11 @@ static int i801_block_transaction_byte_by_byte(struct i801_priv *priv, return result ? priv->status : -ETIMEDOUT; } - for (i = 1; i <= len; i++) { - if (i == len && read_write == I2C_SMBUS_READ) - smbcmd |= SMBHSTCNT_LAST_BYTE; - outb_p(smbcmd, SMBHSTCNT(priv)); - - if (i == 1) - outb_p(inb(SMBHSTCNT(priv)) | SMBHSTCNT_START, - SMBHSTCNT(priv)); + if (len == 1 && read_write == I2C_SMBUS_READ) + smbcmd |= SMBHSTCNT_LAST_BYTE; + outb_p(smbcmd | SMBHSTCNT_START, SMBHSTCNT(priv)); + for (i = 1; i <= len; i++) { status = i801_wait_byte_done(priv); if (status) return status; @@ -710,9 +706,12 @@ static int i801_block_transaction_byte_by_byte(struct i801_priv *priv, data->block[0] = len; } - /* Retrieve/store value in SMBBLKDAT */ - if (read_write == I2C_SMBUS_READ) + if (read_write == I2C_SMBUS_READ) { data->block[i] = inb_p(SMBBLKDAT(priv)); + if (i == len - 1) + outb_p(smbcmd | SMBHSTCNT_LAST_BYTE, SMBHSTCNT(priv)); + } + if (read_write == I2C_SMBUS_WRITE && i+1 <= len) outb_p(data->block[i+1], SMBBLKDAT(priv));