| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Jun 2019 16:55:22 +0300
From: Dmitry Osipenko <digetx@...il.com>
To: Bitan Biswas <bbiswas@...dia.com>,
Laxman Dewangan <ldewangan@...dia.com>,
Thierry Reding <treding@...dia.com>,
Jonathan Hunter <jonathanh@...dia.com>,
linux-i2c@...r.kernel.org, linux-tegra@...r.kernel.org,
linux-kernel@...r.kernel.org, Peter Rosin <peda@...ntia.se>,
Wolfram Sang <wsa@...-dreams.de>
Cc: Shardar Mohammed <smohammed@...dia.com>,
Sowjanya Komatineni <skomatineni@...dia.com>,
Mantravadi Karthik <mkarthik@...dia.com>
Subject: Re: [PATCH V5 6/7] i2c: tegra: fix PIO rx/tx residual transfer check
11.06.2019 13:51, Bitan Biswas пишет:
> Fix expression for residual bytes(less than word) transfer
> in I2C PIO mode RX/TX.
>
> Signed-off-by: Bitan Biswas <bbiswas@...dia.com>
> ---
> drivers/i2c/busses/i2c-tegra.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c
> index 4dfb4c1..0596c12 100644
> --- a/drivers/i2c/busses/i2c-tegra.c
> +++ b/drivers/i2c/busses/i2c-tegra.c
> @@ -514,7 +514,8 @@ static int tegra_i2c_empty_rx_fifo(struct tegra_i2c_dev *i2c_dev)
> * If there is a partial word at the end of buf, handle it manually to
> * prevent overwriting past the end of buf
> */
> - if (rx_fifo_avail > 0 && buf_remaining > 0) {
> + if (rx_fifo_avail > 0 &&
> + (buf_remaining > 0 && buf_remaining < BYTES_PER_FIFO_WORD)) {
The buf_remaining >= BYTES_PER_FIFO_WORD is not possible to happen
because there are three possible cases:
1) buf_remaining > rx_fifo_avail * 4:
In this case rx_fifo_avail = 0
2) buf_remaining < rx_fifo_avail * 4;
In this case buf_remaining is always < 4 because
words_to_transfer is a buf_remaining rounded down to 4
and then divided by 4. Hence:
buf_remaining -= (buf_remaining / 4) * 4 always results
into buf_remaining < 4.
3) buf_remaining == rx_fifo_avail * 4:
In this case rx_fifo_avail = 0 and buf_remaining = 0.
Case 2 should never happen and means that something gone wrong.
> BUG_ON(buf_remaining > 3);
> val = i2c_readl(i2c_dev, I2C_RX_FIFO);
> val = cpu_to_le32(val);
> @@ -557,11 +558,10 @@ static int tegra_i2c_fill_tx_fifo(struct tegra_i2c_dev *i2c_dev)
> words_to_transfer = tx_fifo_avail;
>
> /*
> - * Update state before writing to FIFO. If this casues us
> + * Update state before writing to FIFO. If this causes us
> * to finish writing all bytes (AKA buf_remaining goes to 0) we
> * have a potential for an interrupt (PACKET_XFER_COMPLETE is
> - * not maskable). We need to make sure that the isr sees
> - * buf_remaining as 0 and doesn't call us back re-entrantly.
> + * not maskable).
> */
> buf_remaining -= words_to_transfer * BYTES_PER_FIFO_WORD;
> tx_fifo_avail -= words_to_transfer;
> @@ -580,7 +580,8 @@ static int tegra_i2c_fill_tx_fifo(struct tegra_i2c_dev *i2c_dev)
> * prevent reading past the end of buf, which could cross a page
> * boundary and fault.
> */
> - if (tx_fifo_avail > 0 && buf_remaining > 0) {
> + if (tx_fifo_avail > 0 &&
> + (buf_remaining > 0 && buf_remaining < BYTES_PER_FIFO_WORD)) {
> BUG_ON(buf_remaining > 3);
> memcpy(&val, buf, buf_remaining);
> val = le32_to_cpu(val);
>
Same as for RX.
Powered by blists - more mailing lists