Linux-i2c Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data
@ 2021-04-15  9:38 Krzysztof Kozlowski
  2021-04-15  9:38 ` [RFT 2/2] i2c: s3c2410: fix possible NULL pointer deref on read message after write Krzysztof Kozlowski
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Krzysztof Kozlowski @ 2021-04-15  9:38 UTC (permalink / raw)
  To: Krzysztof Kozlowski, linux-i2c, linux-arm-kernel,
	linux-samsung-soc, linux-kernel
  Cc: Marek Szyprowski, Sylwester Nawrocki, Alim Akhtar, Andrzej Hajda

Use of_device_get_match_data() to make the code slightly smaller.

Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
---
 drivers/i2c/busses/i2c-s3c2410.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c
index 62a903fbe912..ab928613afba 100644
--- a/drivers/i2c/busses/i2c-s3c2410.c
+++ b/drivers/i2c/busses/i2c-s3c2410.c
@@ -24,6 +24,7 @@
 #include <linux/slab.h>
 #include <linux/io.h>
 #include <linux/of.h>
+#include <linux/of_device.h>
 #include <linux/gpio/consumer.h>
 #include <linux/pinctrl/consumer.h>
 #include <linux/mfd/syscon.h>
@@ -156,12 +157,8 @@ MODULE_DEVICE_TABLE(of, s3c24xx_i2c_match);
  */
 static inline kernel_ulong_t s3c24xx_get_device_quirks(struct platform_device *pdev)
 {
-	if (pdev->dev.of_node) {
-		const struct of_device_id *match;
-
-		match = of_match_node(s3c24xx_i2c_match, pdev->dev.of_node);
-		return (kernel_ulong_t)match->data;
-	}
+	if (pdev->dev.of_node)
+		return (kernel_ulong_t)of_device_get_match_data(&pdev->dev);
 
 	return platform_get_device_id(pdev)->driver_data;
 }
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [RFT 2/2] i2c: s3c2410: fix possible NULL pointer deref on read message after write
  2021-04-15  9:38 [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data Krzysztof Kozlowski
@ 2021-04-15  9:38 ` Krzysztof Kozlowski
  2021-04-15  9:45 ` [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data Sylwester Nawrocki
  2021-04-16 23:07 ` Wolfram Sang
  2 siblings, 0 replies; 4+ messages in thread
From: Krzysztof Kozlowski @ 2021-04-15  9:38 UTC (permalink / raw)
  To: Krzysztof Kozlowski, linux-i2c, linux-arm-kernel,
	linux-samsung-soc, linux-kernel
  Cc: Marek Szyprowski, Sylwester Nawrocki, Alim Akhtar, Andrzej Hajda

Interrupt handler processes multiple message write requests one after
another, till the driver message queue is drained.  However if driver
encounters a read message without preceding START, it stops the I2C
transfer as it is an invalid condition for the controller.  At least the
comment describes a requirement "the controller forces us to send a new
START when we change direction".  This stop results in clearing the
message queue (i2c->msg = NULL).

The code however immediately jumped back to label "retry_write" which
dereferenced the "i2c->msg" making it a possible NULL pointer
dereference.

The Coverity analysis:
1. Condition !is_msgend(i2c), taking false branch.
   if (!is_msgend(i2c)) {

2. Condition !is_lastmsg(i2c), taking true branch.
   } else if (!is_lastmsg(i2c)) {

3. Condition i2c->msg->flags & 1, taking true branch.
   if (i2c->msg->flags & I2C_M_RD) {

4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL.
   s3c24xx_i2c_stop(i2c, -EINVAL);

5. Jumping to label retry_write.
   goto retry_write;

All previous calls to s3c24xx_i2c_stop() in this interrupt service
routine are followed by jumping to end of function (acknowledging
the interrupt and returning).  This seems a reasonable choice also here
since message buffer was entirely emptied.

Addresses-Coverity: Explicit null dereferenced
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
---
 drivers/i2c/busses/i2c-s3c2410.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c
index ab928613afba..4d82761e1585 100644
--- a/drivers/i2c/busses/i2c-s3c2410.c
+++ b/drivers/i2c/busses/i2c-s3c2410.c
@@ -480,7 +480,10 @@ static int i2c_s3c_irq_nextbyte(struct s3c24xx_i2c *i2c, unsigned long iicstat)
 					 * forces us to send a new START
 					 * when we change direction
 					 */
+					dev_dbg(i2c->dev,
+						"missing START before write->read\n");
 					s3c24xx_i2c_stop(i2c, -EINVAL);
+					break;
 				}
 
 				goto retry_write;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data
  2021-04-15  9:38 [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data Krzysztof Kozlowski
  2021-04-15  9:38 ` [RFT 2/2] i2c: s3c2410: fix possible NULL pointer deref on read message after write Krzysztof Kozlowski
@ 2021-04-15  9:45 ` Sylwester Nawrocki
  2021-04-16 23:07 ` Wolfram Sang
  2 siblings, 0 replies; 4+ messages in thread
From: Sylwester Nawrocki @ 2021-04-15  9:45 UTC (permalink / raw)
  To: Krzysztof Kozlowski, linux-i2c, linux-arm-kernel,
	linux-samsung-soc, linux-kernel
  Cc: Marek Szyprowski, Alim Akhtar, Andrzej Hajda


On 15.04.2021 11:38, Krzysztof Kozlowski wrote:
> Use of_device_get_match_data() to make the code slightly smaller.
> 
> Signed-off-by: Krzysztof Kozlowski<krzysztof.kozlowski@canonical.com>

Reviewed-by: Sylwester Nawrocki <snawrocki@kernel.org>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data
  2021-04-15  9:38 [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data Krzysztof Kozlowski
  2021-04-15  9:38 ` [RFT 2/2] i2c: s3c2410: fix possible NULL pointer deref on read message after write Krzysztof Kozlowski
  2021-04-15  9:45 ` [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data Sylwester Nawrocki
@ 2021-04-16 23:07 ` Wolfram Sang
  2 siblings, 0 replies; 4+ messages in thread
From: Wolfram Sang @ 2021-04-16 23:07 UTC (permalink / raw)
  To: Krzysztof Kozlowski
  Cc: linux-i2c, linux-arm-kernel, linux-samsung-soc, linux-kernel,
	Marek Szyprowski, Sylwester Nawrocki, Alim Akhtar, Andrzej Hajda


[-- Attachment #1: Type: text/plain, Size: 251 bytes --]

On Thu, Apr 15, 2021 at 11:38:02AM +0200, Krzysztof Kozlowski wrote:
> Use of_device_get_match_data() to make the code slightly smaller.
> 
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

Applied to for-next, thanks!


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-15  9:38 [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data Krzysztof Kozlowski
2021-04-15  9:38 ` [RFT 2/2] i2c: s3c2410: fix possible NULL pointer deref on read message after write Krzysztof Kozlowski
2021-04-15  9:45 ` [PATCH 1/2] i2c: s3c2410: simplify getting of_device_id match data Sylwester Nawrocki
2021-04-16 23:07 ` Wolfram Sang

Linux-i2c Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-i2c/0 linux-i2c/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-i2c linux-i2c/ https://lore.kernel.org/linux-i2c \
		linux-i2c@vger.kernel.org
	public-inbox-index linux-i2c

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-i2c


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git