WSL2-Linux-Kernel/drivers/i2c/busses
Krzysztof Kozlowski 2499042326 i2c: s3c2410: fix possible NULL pointer deref on read message after write
Interrupt handler processes multiple message write requests one after
another, till the driver message queue is drained.  However if driver
encounters a read message without preceding START, it stops the I2C
transfer as it is an invalid condition for the controller.  At least the
comment describes a requirement "the controller forces us to send a new
START when we change direction".  This stop results in clearing the
message queue (i2c->msg = NULL).

The code however immediately jumped back to label "retry_write" which
dereferenced the "i2c->msg" making it a possible NULL pointer
dereference.

The Coverity analysis:
1. Condition !is_msgend(i2c), taking false branch.
   if (!is_msgend(i2c)) {

2. Condition !is_lastmsg(i2c), taking true branch.
   } else if (!is_lastmsg(i2c)) {

3. Condition i2c->msg->flags & 1, taking true branch.
   if (i2c->msg->flags & I2C_M_RD) {

4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL.
   s3c24xx_i2c_stop(i2c, -EINVAL);

5. Jumping to label retry_write.
   goto retry_write;

6. var_deref_model: Passing i2c to is_msgend, which dereferences null i2c->msg.
   if (!is_msgend(i2c)) {"

All previous calls to s3c24xx_i2c_stop() in this interrupt service
routine are followed by jumping to end of function (acknowledging
the interrupt and returning).  This seems a reasonable choice also here
since message buffer was entirely emptied.

Addresses-Coverity: Explicit null dereferenced
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
2021-05-28 10:16:23 +02:00
..
Kconfig i2c: I2C_HISI should depend on ACPI 2021-05-25 21:24:50 +02:00
Makefile i2c: add support for HiSilicon I2C controller 2021-04-10 21:54:05 +02:00
i2c-acorn.c
i2c-ali15x3.c i2c: Use separate MODULE_AUTHOR() statements for multiple authors 2020-07-04 08:25:13 +02:00
i2c-ali1535.c i2c: Use separate MODULE_AUTHOR() statements for multiple authors 2020-07-04 08:25:13 +02:00
i2c-ali1563.c i2c: busses: i2c-ali1563: File headers are not good candidates for kernel-doc 2021-05-27 21:29:26 +02:00
i2c-altera.c i2c: altera: cleanup spinlock 2020-05-20 15:28:03 +02:00
i2c-amd-mp2-pci.c i2c: amd-mp2: convert to PCI logging functions 2021-02-01 23:01:29 +01:00
i2c-amd-mp2-plat.c i2c: amd-mp2: convert to PCI logging functions 2021-02-01 23:01:29 +01:00
i2c-amd-mp2.h i2c: amd-mp2: Remove unused macro 2021-02-01 23:01:50 +01:00
i2c-amd756-s4882.c
i2c-amd756.c
i2c-amd8111.c i2c: amd8111: Fix coding style issues 2021-04-15 22:24:11 +02:00
i2c-aspeed.c i2c: aspeed: Mask IRQ status to relevant bits 2020-09-14 08:55:44 +02:00
i2c-at91-core.c i2c: at91: Send bus clear command if SDA is down 2020-05-05 16:37:21 +02:00
i2c-at91-master.c i2c: at91: remove legacy DMA left overs 2020-11-03 21:34:40 +01:00
i2c-at91-slave.c
i2c-at91.h i2c: at91: remove legacy DMA left overs 2020-11-03 21:34:40 +01:00
i2c-au1550.c
i2c-axxia.c i2c: busses: remove duplicate dev_err() 2020-04-18 23:42:14 +02:00
i2c-bcm-iproc.c i2c: iproc: handle rx fifo full interrupt 2021-01-05 17:19:31 +01:00
i2c-bcm-kona.c i2c: busses: remove duplicate dev_err() 2020-04-18 23:42:14 +02:00
i2c-bcm2835.c i2c: bcm2835: Simplify with dev_err_probe() 2020-09-18 23:02:03 +02:00
i2c-brcmstb.c i2c: remove unused 'version.h' include in drivers 2021-04-08 23:12:38 +02:00
i2c-cadence.c i2c: busses: i2c-cadence: Fix incorrectly documented 'enum cdns_i2c_slave_mode' 2021-05-27 21:31:59 +02:00
i2c-cbus-gpio.c
i2c-cht-wc.c i2c: cht-wc: Constify the software node 2021-04-10 21:43:01 +02:00
i2c-cp2615.c i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge 2021-04-05 23:00:18 +02:00
i2c-cpm.c i2c: cpm: Fix i2c_ram structure 2020-09-27 15:14:16 +02:00
i2c-cros-ec-tunnel.c
i2c-davinci.c i2c: busses: convert to devm_platform_ioremap_resource 2020-04-15 12:09:09 +02:00
i2c-designware-baytrail.c i2c: designware: Fix spelling typos in the comments 2020-03-21 19:53:08 +01:00
i2c-designware-common.c i2c: designware: Add driver support for AMD NAVI GPU 2021-04-05 23:00:46 +02:00
i2c-designware-core.h i2c: designware: Add driver support for AMD NAVI GPU 2021-04-05 23:00:46 +02:00
i2c-designware-master.c i2c: busses: i2c-designware-master: Fix misnaming of 'i2c_dw_init_master()' 2021-05-27 21:32:12 +02:00
i2c-designware-pcidrv.c i2c: designware: Fix return value check in navi_amd_register_client() 2021-04-08 22:47:48 +02:00
i2c-designware-platdrv.c i2c: designware: Get rid of legacy platform data 2021-04-14 16:06:46 +01:00
i2c-designware-slave.c i2c: designware: slave should do WRITE_REQUESTED before WRITE_RECEIVED 2020-11-06 16:02:00 +01:00
i2c-digicolor.c i2c: busses: Replace spin_lock_irqsave with spin_lock in hard IRQ 2021-02-12 08:21:57 +01:00
i2c-diolan-u2c.c i2c: drivers: Use generic definitions for bus frequencies 2020-03-24 22:36:59 +01:00
i2c-dln2.c
i2c-eg20t.c i2c: busses: i2c-eg20t: Fix 'bad line' issue and provide description for 'msgs' param 2021-05-27 21:33:10 +02:00
i2c-elektor.c Merge branch 'i2c/for-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2021-02-22 09:02:24 -08:00
i2c-emev2.c i2c: emev2: add IRQ check 2021-04-14 10:20:00 +02:00
i2c-exynos5.c i2c: exynos5: correct top kerneldoc 2021-04-06 22:32:33 +02:00
i2c-fsi.c i2c: fsi: Prevent adding adapters for ports without dts nodes 2020-07-24 21:31:33 +02:00
i2c-gpio.c i2c: gpio: fix MODULE_LICENCE 2021-01-05 17:30:45 +01:00
i2c-highlander.c
i2c-hisi.c i2c: add support for HiSilicon I2C controller 2021-04-10 21:54:05 +02:00
i2c-hix5hd2.c i2c: hix5hd2: use the correct HiSilicon copyright 2021-03-31 10:06:40 +02:00
i2c-hydra.c
i2c-i801.c i2c: i801: Don't generate an interrupt on bus reset 2021-05-27 21:56:42 +02:00
i2c-ibm_iic.c
i2c-ibm_iic.h
i2c-icy.c i2c: icy: Remove unused variable new_fwnode in icy_probe() 2021-05-25 21:21:32 +02:00
i2c-img-scb.c i2c: img-scb: fix reference leak when pm_runtime_get_sync fails 2021-04-14 09:49:06 +02:00
i2c-imx-lpi2c.c i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails 2021-04-14 09:49:09 +02:00
i2c-imx.c i2c: imx: Fix PM reference leak in i2c_imx_reg_slave() 2021-04-14 10:04:23 +02:00
i2c-iop3xx.c i2c: iop3xx: Fix coding style issues 2021-04-15 22:24:23 +02:00
i2c-iop3xx.h
i2c-isch.c
i2c-ismt.c i2c: ismt: Adding support for I2C_SMBUS_BLOCK_PROC_CALL 2020-12-03 21:20:53 +01:00
i2c-jz4780.c Merge branch 'i2c/for-5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2021-04-30 13:01:02 -07:00
i2c-kempld.c
i2c-lpc2k.c i2c: busses: remove duplicate dev_err() 2020-04-18 23:42:14 +02:00
i2c-meson.c i2c: meson: fixup rate calculation with filter delay 2020-10-08 11:57:23 +02:00
i2c-mlxbf.c i2c: mlxbf: add IRQ check 2021-04-14 10:20:45 +02:00
i2c-mlxcpld.c i2c: mlxcpld: Add support for I2C bus frequency setting 2021-01-06 15:36:46 +01:00
i2c-mpc.c i2c: mpc: implement erratum A-004447 workaround 2021-05-27 21:52:25 +02:00
i2c-mt65xx.c i2c: mediatek: Disable i2c start_en and clear intr_stat brfore reset 2021-05-28 10:13:07 +02:00
i2c-mt7621.c i2c: drivers: Use generic definitions for bus frequencies 2020-03-24 22:36:59 +01:00
i2c-mv64xxx.c i2c: mv64xxx: Fix random system lock caused by runtime PM 2021-04-15 22:13:19 +02:00
i2c-mxs.c i2c: mxs: Remove unneeded platform_device_id 2020-12-02 21:29:31 +01:00
i2c-nforce2-s4985.c
i2c-nforce2.c
i2c-nomadik.c i2c: busses: i2c-nomadik: Fix formatting issue pertaining to 'timeout' 2021-05-27 21:27:48 +02:00
i2c-npcm7xx.c i2c: npcm7xx: Clear LAST bit after a failed transaction. 2020-09-27 20:05:27 +02:00
i2c-nvidia-gpu.c i2c: nvidia-gpu: Constify the software node 2021-04-10 21:43:01 +02:00
i2c-ocores.c i2c: busses: i2c-ocores: Place the expected function names into the documentation headers 2021-05-27 21:33:41 +02:00
i2c-octeon-core.c i2c: octeon: check correct size of maximum RECV_LEN packet 2021-01-17 12:26:55 +01:00
i2c-octeon-core.h
i2c-octeon-platdrv.c i2c: busses: convert to devm_platform_ioremap_resource 2020-04-15 12:09:09 +02:00
i2c-omap.c i2c: omap: fix reference leak when pm_runtime_get_sync fails 2021-04-14 09:49:17 +02:00
i2c-opal.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
i2c-owl.c i2c: owl: Add compatible for the Actions Semi S500 I2C controller 2020-12-09 21:23:21 +01:00
i2c-parport.c
i2c-pasemi.c
i2c-pca-isa.c isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
i2c-pca-platform.c i2c: pca-platform: drop two members from driver data that are assigned to only 2020-12-02 21:29:31 +01:00
i2c-piix4.c i2c: Use separate MODULE_AUTHOR() statements for multiple authors 2020-07-04 08:25:13 +02:00
i2c-pmcmsp.c
i2c-pnx.c i2c: busses: i2c-pnx: Provide descriptions for 'alg_data' data structure 2021-05-27 21:34:08 +02:00
i2c-powermac.c i2c: powermac: remove uncertainty about SMBUS_BLOCK transfers 2021-03-18 11:59:57 +01:00
i2c-pxa-pci.c
i2c-pxa.c i2c: pxa: move to generic GPIO recovery 2020-12-09 21:45:47 +01:00
i2c-qcom-cci.c i2c: drivers: Use generic definitions for bus frequencies (part 2) 2021-04-05 23:00:58 +02:00
i2c-qcom-geni.c i2c: qcom-geni: fix spelling mistake "unepxected" -> "unexpected" 2021-05-25 21:16:53 +02:00
i2c-qup.c i2c: qup: advertise SMBus transfers using RECV_LEN 2021-01-22 09:59:25 +01:00
i2c-rcar.c i2c: rcar: add IRQ check 2021-04-14 10:21:16 +02:00
i2c-riic.c i2c: drivers: Use generic definitions for bus frequencies 2020-03-24 22:36:59 +01:00
i2c-rk3x.c i2c: rk3x: Simplify with dev_err_probe() 2020-09-27 19:58:56 +02:00
i2c-robotfuzz-osif.c
i2c-s3c2410.c i2c: s3c2410: fix possible NULL pointer deref on read message after write 2021-05-28 10:16:23 +02:00
i2c-scmi.c i2c: i2c-scmi: Drop unused ACPI_MODULE_NAME definition 2021-03-18 12:11:45 +01:00
i2c-sh7760.c i2c: sh7760: fix IRQ error path 2021-04-17 22:00:58 +02:00
i2c-sh_mobile.c i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E 2021-05-25 21:53:46 +02:00
i2c-sibyte.c i2c: Use separate MODULE_AUTHOR() statements for multiple authors 2020-07-04 08:25:13 +02:00
i2c-simtec.c
i2c-sis96x.c
i2c-sis630.c
i2c-sis5595.c
i2c-sprd.c i2c: sprd: fix reference leak when pm_runtime_get_sync fails 2021-04-14 09:49:20 +02:00
i2c-st.c i2c: busses: i2c-st: Fix copy/paste function misnaming issues 2021-05-27 21:39:35 +02:00
i2c-stm32.c i2c: stm32: Simplify with dev_err_probe() 2020-09-21 11:45:43 +02:00
i2c-stm32.h
i2c-stm32f4.c i2c: busses: i2c-stm32f4: Remove incorrectly placed ' ' from function name 2021-05-27 21:39:57 +02:00
i2c-stm32f7.c i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails 2021-04-14 09:49:23 +02:00
i2c-sun6i-p2wi.c i2c: busses: remove duplicate dev_err() 2020-04-18 23:42:14 +02:00
i2c-synquacer.c i2c: busses: Use fallthrough pseudo-keyword 2020-07-23 22:04:08 +02:00
i2c-taos-evm.c
i2c-tegra-bpmp.c i2c: tegra-bpmp: make some functions void 2021-04-05 23:01:48 +02:00
i2c-tegra.c i2c: tegra: Use threaded interrupt 2021-01-28 10:03:58 +01:00
i2c-thunderx-pcidrv.c i2c: drivers: Use generic definitions for bus frequencies 2020-03-24 22:36:59 +01:00
i2c-tiny-usb.c
i2c-uniphier-f.c i2c: busses: remove duplicate dev_err() 2020-04-18 23:42:14 +02:00
i2c-uniphier.c i2c: busses: remove duplicate dev_err() 2020-04-18 23:42:14 +02:00
i2c-versatile.c
i2c-via.c
i2c-viapro.c i2c: busses: Use fallthrough pseudo-keyword 2020-07-23 22:04:08 +02:00
i2c-viperboard.c
i2c-wmt.c i2c: drivers: Use generic definitions for bus frequencies 2020-03-24 22:36:59 +01:00
i2c-xgene-slimpro.c i2c: remove unused 'version.h' include in drivers 2021-04-08 23:12:38 +02:00
i2c-xiic.c i2c: xiic: fix reference leak when pm_runtime_get_sync fails 2021-04-14 09:49:26 +02:00
i2c-xlp9xx.c i2c: busses: remove duplicate dev_err() 2020-04-18 23:42:14 +02:00
i2c-xlr.c i2c: busses: convert to devm_platform_ioremap_resource 2020-04-15 12:09:09 +02:00
scx200_acb.c i2c: busses: Use fallthrough pseudo-keyword 2020-07-23 22:04:08 +02:00