Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/814456/?format=api
{ "id": 814456, "url": "http://patchwork.ozlabs.org/api/1.2/patches/814456/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-i2c/patch/20170916030252.10680-1-amworsley@gmail.com/", "project": { "id": 35, "url": "http://patchwork.ozlabs.org/api/1.2/projects/35/?format=api", "name": "Linux I2C development", "link_name": "linux-i2c", "list_id": "linux-i2c.vger.kernel.org", "list_email": "linux-i2c@vger.kernel.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170916030252.10680-1-amworsley@gmail.com>", "list_archive_url": null, "date": "2017-09-16T03:02:52", "name": "Fix Bug for cadence i2c interrupt overrunning buffer", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": false, "hash": "e7ef5456f8360781b283e7eb1d60fe9414a1ed19", "submitter": { "id": 68717, "url": "http://patchwork.ozlabs.org/api/1.2/people/68717/?format=api", "name": "Andrew Worsley", "email": "amworsley@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-i2c/patch/20170916030252.10680-1-amworsley@gmail.com/mbox/", "series": [ { "id": 3411, "url": "http://patchwork.ozlabs.org/api/1.2/series/3411/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-i2c/list/?series=3411", "date": "2017-09-16T03:02:52", "name": "Fix Bug for cadence i2c interrupt overrunning buffer", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/3411/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/814456/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/814456/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<linux-i2c-owner@vger.kernel.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=linux-i2c-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"SAK0rSMn\"; dkim-atps=neutral" ], "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xvHC22rG1z9sPm\n\tfor <incoming@patchwork.ozlabs.org>;\n\tSat, 16 Sep 2017 13:03:10 +1000 (AEST)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751259AbdIPDDJ (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);\n\tFri, 15 Sep 2017 23:03:09 -0400", "from mail-pg0-f68.google.com ([74.125.83.68]:35699 \"EHLO\n\tmail-pg0-f68.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751257AbdIPDDI (ORCPT\n\t<rfc822; linux-i2c@vger.kernel.org>); Fri, 15 Sep 2017 23:03:08 -0400", "by mail-pg0-f68.google.com with SMTP id j16so2201041pga.2\n\tfor <linux-i2c@vger.kernel.org>; Fri, 15 Sep 2017 20:03:08 -0700 (PDT)", "from localhost (27-32-189-129.static.tpgi.com.au. [27.32.189.129])\n\tby smtp.gmail.com with ESMTPSA id\n\ts81sm5799139pfg.162.2017.09.15.20.03.06\n\t(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);\n\tFri, 15 Sep 2017 20:03:07 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=gmail.com; s=20161025;\n\th=from:to:cc:subject:date:message-id;\n\tbh=dRPv5HkreBzERqVyPkhWIZLWRL0cbVr4OXiZNfuPeUk=;\n\tb=SAK0rSMnmuvLwbNYrJ26TSQFx55XCS6fQ4BKzzgr49aqEET38R426a2QPyCaff5wbS\n\tinzgovhpPWKz/bkKa6cW7KoSsu4ptXpzMBPUUS73S1zXT7lWYAgmPd0PmbNfT/NBM3QZ\n\tC6qSP3zy2So45KrIgmRHKcc3AxKZxGcwTDWsuibxF+IwonXh07u07yPotfgthnMrQPDT\n\tU9rskr900eFQSqvkQn4rq170LNFipbZGal4h+NO6vzBpbdJbxwfLTrlkMumsAlA/BmKH\n\tDi8qOqU8xICv9Yxxd8rF02w/HSzXa18qZ+KhYorxM+MpOru3hqyH/EDVGHyJmeoW1iH+\n\t523g==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id;\n\tbh=dRPv5HkreBzERqVyPkhWIZLWRL0cbVr4OXiZNfuPeUk=;\n\tb=E4aZ9IjhzeWMl725s5sa+9u9uJlf4nbDkvrAeZ4Eb4W5wP1AoHgG/zMCQdwYZ6GdQh\n\tMEJR+JOPjXlPjUOTFV+PtLNuyirXSfcFnCKYVI6jnnFSqEARybK/KXJpMBPSbYyrEJp7\n\ttvtwAa/wS9y3KrPehkOS+HMFlYru+RclEXYl1okQ2H9sB9cy8CvvUBTnx/+rxVICfJsk\n\td9KqOANw7/IHH1qFqVd/SLXepr2vSKh8GzPOm5K7VuCz8gD3SLzp1o1Pr3EGHp8/89xq\n\tHz6LoBonfNgPlnUo8BXE5zKReDy6ar2HNxLx/v/2KeRJzaXWcjt1WySiwxbX7Jhsq6gR\n\tJJxQ==", "X-Gm-Message-State": "AHPjjUhVuhGuP8rnRZdGM5hbVu/TcA0TcYgL37zBW1jpinkWx4IaLXkw\n\tWg4k9MbyrnA+sQ==", "X-Google-Smtp-Source": "ADKCNb4FL2DIRz2dZD7mKtSi/7I1nI/O7DA/xCuRIZav0ir3kSL8LaOmd7XB28muWuOm2MsNFm89DQ==", "X-Received": "by 10.84.196.131 with SMTP id l3mr26308268pld.195.1505530988435; \n\tFri, 15 Sep 2017 20:03:08 -0700 (PDT)", "From": "Andrew Worsley <amworsley@gmail.com>", "To": "michal.simek@xilinx.com", "Cc": "soren.brinkmann@xilinx.com, linux-arm-kernel@lists.infradead.org,\n\tlinux-i2c@vger.kernel.org, Andrew Worsley <amworsley@gmail.com>", "Subject": "[PATCH] Fix Bug for cadence i2c interrupt overrunning buffer", "Date": "Sat, 16 Sep 2017 13:02:52 +1000", "Message-Id": "<20170916030252.10680-1-amworsley@gmail.com>", "X-Mailer": "git-send-email 2.11.0", "Sender": "linux-i2c-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<linux-i2c.vger.kernel.org>", "X-Mailing-List": "linux-i2c@vger.kernel.org" }, "content": "The i2c interrupt handler was not checking against the length of\nsupplied buffer so if the hardware supplied more data than requested in\nthe i2c transfer it happily copies it right past the end of the buffer!\n\nSigned-off-by: Andrew Worsley <amworsley@gmail.com>\n---\n\n This bug reliably caused a stack corruption when the hardware provided more data than\nasked for in the i2c request. The hardware (a tpm) very occasionally appends a burst of\n0xff to the end of the data requested and the i2c interrupt handler mindlessly copies all\nthe data right past the end of the buffer and in my case across the stack. :-(\n\n With this patch the transfer now terminates with an -EIO but with out voilating the\nbuffer boundaries. I would prefer to just make the transfer succeed while not retrieving\nadditional bytes but I wasn't able to find an easy way to do this. As this is definitely a\nfault that causes a kernel oops I just wanted to get a fix out there for others to avoid\nthe problem as it has taken me a few weeks to chase down this oops. If someone has a\nbetter or nicer fix I would appreciate it or a pointer to how to do this.\n\n Thanks\n\n Andrew\n drivers/i2c/busses/i2c-cadence.c | 7 +++++++\n 1 file changed, 7 insertions(+)", "diff": "diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c\nindex b13605718291..c1f61ca6843e 100644\n--- a/drivers/i2c/busses/i2c-cadence.c\n+++ b/drivers/i2c/busses/i2c-cadence.c\n@@ -234,6 +234,7 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr)\n \tif (id->p_recv_buf &&\n \t ((isr_status & CDNS_I2C_IXR_COMP) ||\n \t (isr_status & CDNS_I2C_IXR_DATA))) {\n+\t\tunsigned char *p = id->p_recv_buf;\n \t\t/* Read data if receive data valid is set */\n \t\twhile (cdns_i2c_readreg(CDNS_I2C_SR_OFFSET) &\n \t\t CDNS_I2C_SR_RXDV) {\n@@ -246,6 +247,12 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr)\n \t\t\t !id->bus_hold_flag)\n \t\t\t\tcdns_i2c_clear_bus_hold(id);\n \n+\t\t\tif (id->recv_count == 0) {\n+\t\t\t\tpr_notice(\"%s: i2c receive buffer filled : %u aborting transfer %p - %p\\n\",\n+\t\t\t\t\t__func__, (id->p_recv_buf - p));\n+\t\t\t\tbreak;\n+\t\t\t}\n+\n \t\t\t*(id->p_recv_buf)++ =\n \t\t\t\tcdns_i2c_readreg(CDNS_I2C_DATA_OFFSET);\n \t\t\tid->recv_count--;\n", "prefixes": [] }