lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTikeTQi6zz+yb4USWwaROFZJW2cfog@mail.gmail.com>
Date:	Thu, 2 Jun 2011 09:32:03 -0400
From:	Vincent Palatin <vpalatin@...omium.org>
To:	Jean Delvare <khali@...ux-fr.org>, Ben Dooks <ben-linux@...ff.org>,
	linux-i2c@...r.kernel.org
Cc:	Olof Johansson <olofj@...omium.org>, linux-kernel@...r.kernel.org,
	Colin Cross <ccross@...roid.com>, linux-tegra@...r.kernel.org,
	Vincent Palatin <vpalatin@...omium.org>
Subject: Re: [PATCH] i2c: i2c-tegra: fix possible race condition after tx

Anyone has a comment on that patch ?
The I2C driver has been reworked but this issue seems to still exist

-- 
Vincent

On Tue, Apr 19, 2011 at 18:14, Vincent Palatin <vpalatin@...omium.org> wrote:
> In tegra_i2c_fill_tx_fifo, once we have finished pushing all the bytes
> to the I2C hardware controller, the interrupt might happen before we
> have updated i2c_dev->msg_buf_remaining at the end of the function.
> Then, in tegra_i2c_isr, we will call again tegra_i2c_fill_tx_fifo
> triggering weird behaviour.
> Of course, this is unlikely since the I2C bus is slow and thus the ISR
> is called several hundreds of microseconds after the last register
> write.
>
> Signed-off-by: Vincent Palatin <vpalatin@...omium.org>
> ---
>  drivers/i2c/busses/i2c-tegra.c |   54 ++++++++++++++++++++++-----------------
>  1 files changed, 30 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c
> index b4ab39b..c1b119b 100644
> --- a/drivers/i2c/busses/i2c-tegra.c
> +++ b/drivers/i2c/busses/i2c-tegra.c
> @@ -125,7 +125,7 @@ struct tegra_i2c_dev {
>        struct completion msg_complete;
>        int msg_err;
>        u8 *msg_buf;
> -       size_t msg_buf_remaining;
> +       atomic_t msg_buf_remaining;
>        int msg_read;
>        unsigned long bus_clk_rate;
>        bool is_suspended;
> @@ -213,38 +213,41 @@ static int tegra_i2c_empty_rx_fifo(struct tegra_i2c_dev *i2c_dev)
>        u32 val;
>        int rx_fifo_avail;
>        u8 *buf = i2c_dev->msg_buf;
> -       size_t buf_remaining = i2c_dev->msg_buf_remaining;
>        int words_to_transfer;
> +       int bytes_to_transfer;
>
>        val = i2c_readl(i2c_dev, I2C_FIFO_STATUS);
>        rx_fifo_avail = (val & I2C_FIFO_STATUS_RX_MASK) >>
>                I2C_FIFO_STATUS_RX_SHIFT;
>
>        /* Rounds down to not include partial word at the end of buf */
> -       words_to_transfer = buf_remaining / BYTES_PER_FIFO_WORD;
> +       words_to_transfer = atomic_read(&i2c_dev->msg_buf_remaining) /
> +               BYTES_PER_FIFO_WORD;
>        if (words_to_transfer > rx_fifo_avail)
>                words_to_transfer = rx_fifo_avail;
>
> +       atomic_sub(words_to_transfer * BYTES_PER_FIFO_WORD,
> +               &i2c_dev->msg_buf_remaining);
>        i2c_readsl(i2c_dev, buf, I2C_RX_FIFO, words_to_transfer);
>
>        buf += words_to_transfer * BYTES_PER_FIFO_WORD;
> -       buf_remaining -= words_to_transfer * BYTES_PER_FIFO_WORD;
>        rx_fifo_avail -= words_to_transfer;
>
>        /*
>         * If there is a partial word at the end of buf, handle it manually to
>         * prevent overwriting past the end of buf
>         */
> -       if (rx_fifo_avail > 0 && buf_remaining > 0) {
> -               BUG_ON(buf_remaining > 3);
> +       bytes_to_transfer = atomic_read(&i2c_dev->msg_buf_remaining);
> +       if (rx_fifo_avail > 0 && bytes_to_transfer > 0) {
> +               BUG_ON(bytes_to_transfer > 3);
> +               atomic_set(&i2c_dev->msg_buf_remaining, 0);
>                val = i2c_readl(i2c_dev, I2C_RX_FIFO);
> -               memcpy(buf, &val, buf_remaining);
> -               buf_remaining = 0;
> +               memcpy(buf, &val, bytes_to_transfer);
>                rx_fifo_avail--;
>        }
>
> -       BUG_ON(rx_fifo_avail > 0 && buf_remaining > 0);
> -       i2c_dev->msg_buf_remaining = buf_remaining;
> +       BUG_ON(rx_fifo_avail > 0 &&
> +               atomic_read(&i2c_dev->msg_buf_remaining) > 0);
>        i2c_dev->msg_buf = buf;
>        return 0;
>  }
> @@ -254,22 +257,24 @@ static int tegra_i2c_fill_tx_fifo(struct tegra_i2c_dev *i2c_dev)
>        u32 val;
>        int tx_fifo_avail;
>        u8 *buf = i2c_dev->msg_buf;
> -       size_t buf_remaining = i2c_dev->msg_buf_remaining;
>        int words_to_transfer;
> +       int bytes_to_transfer;
>
>        val = i2c_readl(i2c_dev, I2C_FIFO_STATUS);
>        tx_fifo_avail = (val & I2C_FIFO_STATUS_TX_MASK) >>
>                I2C_FIFO_STATUS_TX_SHIFT;
>
>        /* Rounds down to not include partial word at the end of buf */
> -       words_to_transfer = buf_remaining / BYTES_PER_FIFO_WORD;
> +       words_to_transfer = atomic_read(&i2c_dev->msg_buf_remaining) /
> +               BYTES_PER_FIFO_WORD;
>        if (words_to_transfer > tx_fifo_avail)
>                words_to_transfer = tx_fifo_avail;
>
> +       atomic_sub(words_to_transfer * BYTES_PER_FIFO_WORD,
> +               &i2c_dev->msg_buf_remaining);
>        i2c_writesl(i2c_dev, buf, I2C_TX_FIFO, words_to_transfer);
>
>        buf += words_to_transfer * BYTES_PER_FIFO_WORD;
> -       buf_remaining -= words_to_transfer * BYTES_PER_FIFO_WORD;
>        tx_fifo_avail -= words_to_transfer;
>
>        /*
> @@ -277,16 +282,17 @@ static int tegra_i2c_fill_tx_fifo(struct tegra_i2c_dev *i2c_dev)
>         * prevent reading past the end of buf, which could cross a page
>         * boundary and fault.
>         */
> -       if (tx_fifo_avail > 0 && buf_remaining > 0) {
> -               BUG_ON(buf_remaining > 3);
> -               memcpy(&val, buf, buf_remaining);
> +       bytes_to_transfer = atomic_read(&i2c_dev->msg_buf_remaining);
> +       if (tx_fifo_avail > 0 && bytes_to_transfer > 0) {
> +               BUG_ON(bytes_to_transfer > 3);
> +               memcpy(&val, buf, bytes_to_transfer);
> +               atomic_set(&i2c_dev->msg_buf_remaining, 0);
>                i2c_writel(i2c_dev, val, I2C_TX_FIFO);
> -               buf_remaining = 0;
>                tx_fifo_avail--;
>        }
>
> -       BUG_ON(tx_fifo_avail > 0 && buf_remaining > 0);
> -       i2c_dev->msg_buf_remaining = buf_remaining;
> +       BUG_ON(tx_fifo_avail > 0 &&
> +               atomic_read(&i2c_dev->msg_buf_remaining) > 0);
>        i2c_dev->msg_buf = buf;
>        return 0;
>  }
> @@ -364,21 +370,21 @@ static irqreturn_t tegra_i2c_isr(int irq, void *dev_id)
>        }
>
>        if (i2c_dev->msg_read && (status & I2C_INT_RX_FIFO_DATA_REQ)) {
> -               if (i2c_dev->msg_buf_remaining)
> +               if (atomic_read(&i2c_dev->msg_buf_remaining))
>                        tegra_i2c_empty_rx_fifo(i2c_dev);
>                else
>                        BUG();
>        }
>
>        if (!i2c_dev->msg_read && (status & I2C_INT_TX_FIFO_DATA_REQ)) {
> -               if (i2c_dev->msg_buf_remaining)
> +               if (atomic_read(&i2c_dev->msg_buf_remaining))
>                        tegra_i2c_fill_tx_fifo(i2c_dev);
>                else
>                        tegra_i2c_mask_irq(i2c_dev, I2C_INT_TX_FIFO_DATA_REQ);
>        }
>
>        if ((status & I2C_INT_PACKET_XFER_COMPLETE) &&
> -                       !i2c_dev->msg_buf_remaining)
> +                       !atomic_read(&i2c_dev->msg_buf_remaining))
>                complete(&i2c_dev->msg_complete);
>
>        i2c_writel(i2c_dev, status, I2C_INT_STATUS);
> @@ -408,7 +414,7 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev,
>                return -EINVAL;
>
>        i2c_dev->msg_buf = msg->buf;
> -       i2c_dev->msg_buf_remaining = msg->len;
> +       atomic_set(&i2c_dev->msg_buf_remaining, msg->len);
>        i2c_dev->msg_err = I2C_ERR_NONE;
>        i2c_dev->msg_read = (msg->flags & I2C_M_RD);
>        INIT_COMPLETION(i2c_dev->msg_complete);
> @@ -440,7 +446,7 @@ static int tegra_i2c_xfer_msg(struct tegra_i2c_dev *i2c_dev,
>        int_mask = I2C_INT_NO_ACK | I2C_INT_ARBITRATION_LOST;
>        if (msg->flags & I2C_M_RD)
>                int_mask |= I2C_INT_RX_FIFO_DATA_REQ;
> -       else if (i2c_dev->msg_buf_remaining)
> +       else if (atomic_read(&i2c_dev->msg_buf_remaining))
>                int_mask |= I2C_INT_TX_FIFO_DATA_REQ;
>        tegra_i2c_unmask_irq(i2c_dev, int_mask);
>        dev_dbg(i2c_dev->dev, "unmasked irq: %02x\n",
> --
> 1.7.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ