Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
Userspace should not be able to trigger warnings, so this patch adds
validation checks for user data in compact ioctl to prevent reported
warnings
Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
Fixes: 7d5cb45655 ("i2c compat ioctls: move to ->compat_ioctl()")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Pull i2c updates from Wolfram Sang:
"I2C has a smaller pull reuest this time:
- new driver for I2C virtio
- removal of PMC SMP driver because platform is already gone
- IRQ probing and DMAENGINE API cleanups
- add SI metric prefix definitions to units.h
- beginning of i801 refactorization
- a few driver improvements"
* 'i2c/for-mergewindow' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: (28 commits)
i2c: cadence: Implement save restore
i2c: xlp9xx: fix main IRQ check
i2c: mt65xx: fix IRQ check
i2c: virtio: add a virtio i2c frontend driver
i2c: hix5hd2: fix IRQ check
i2c: s3c2410: fix IRQ check
i2c: iop3xx: fix deferred probing
i2c: synquacer: fix deferred probing
i2c: sun6i-pw2i: Prefer strscpy over strlcpy
i2c: remove dead PMC MSP TWI/SMBus/I2C driver
i2c: dev: Use sysfs_emit() in "show" functions
i2c: dev: Define pr_fmt() and drop duplication substrings
i2c: designware: Fix indentation in the header
i2c: designware: Use DIV_ROUND_CLOSEST() macro
units: Add SI metric prefix definitions
i2c: at91: mark PM ops as __maybe unused
i2c: sh_mobile: : use proper DMAENGINE API for termination
i2c: qup: : use proper DMAENGINE API for termination
i2c: mxs: : use proper DMAENGINE API for termination
i2c: imx: : use proper DMAENGINE API for termination
...
The sysfs_emit() function was introduced to make it less ambiguous
which function is preferred when writing to the output buffer in
a "show" callback [1].
Convert the I²C device sysfs interface from sprintf() to sysfs_emit()
accordingly, as the latter is aware of the PAGE_SIZE buffer and correctly
returns the number of bytes written into the buffer.
No functional change intended.
[1] Documentation/filesystems/sysfs.rst
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Define pr_fmt() to print module name as prefix and at the same time
drop duplication substrings in the messages.
While at it, convert printk(<LEVEL>) to pr_<level>().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
If an i2c driver happens to not provide the full amount of data that a
user asks for, it is possible that some uninitialized data could be sent
to userspace. While all in-kernel drivers look to be safe, just be sure
by initializing the buffer to zero before it is passed to the i2c driver
so that any future drivers will not have this issue.
Also properly copy the amount of data recvieved to the userspace buffer,
as pointed out by Dan Carpenter.
Reported-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Fix Sparse warnings:
drivers/i2c/i2c-dev.c:546:19: warning: incorrect type in assignment (different address spaces)
drivers/i2c/i2c-dev.c:549:53: warning: incorrect type in argument 2 (different address spaces)
compat_ptr() returns a pointer tagged __user which gets assigned to a
pointer missing the __user annotation. The same pointer is passed to
copy_from_user() as an argument where it is expected to have the __user
annotation. Fix both by adding the __user annotation to the pointer.
Fixes: 7d5cb45655 ("i2c compat ioctls: move to ->compat_ioctl()")
Signed-off-by: Andreas Hecht <andreas.e.hecht@gmail.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
The buggy parameters currently get caught later, but emit a noisy WARN.
Userspace should not be able to trigger this, so add similar checks much
earlier. Also avoids some unneeded code paths, of course. Apply kernel
coding stlye to a comment while here.
Reported-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com
Tested-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Modules with multiple authors should use multiple MODULE_AUTHOR()
statements according to comment in include/linux/module.h.
Split the i2c modules with multiple authors to use multiple
MODULE_AUTHOR() statements.
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
The struct cdev is embedded in the struct i2c_dev. In the current code,
we would free the i2c_dev struct directly in put_i2c_dev(), but the
cdev is manged by a kobject, and the release of it is not predictable.
So it is very possible that the i2c_dev is freed before the cdev is
entirely released. We can easily get the following call trace with
CONFIG_DEBUG_KOBJECT_RELEASE and CONFIG_DEBUG_OBJECTS_TIMERS enabled.
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x38
WARNING: CPU: 19 PID: 1 at lib/debugobjects.c:325 debug_print_object+0xb0/0xf0
Modules linked in:
CPU: 19 PID: 1 Comm: swapper/0 Tainted: G W 5.2.20-yocto-standard+ #120
Hardware name: Marvell OcteonTX CN96XX board (DT)
pstate: 80c00089 (Nzcv daIf +PAN +UAO)
pc : debug_print_object+0xb0/0xf0
lr : debug_print_object+0xb0/0xf0
sp : ffff00001292f7d0
x29: ffff00001292f7d0 x28: ffff800b82151788
x27: 0000000000000001 x26: ffff800b892c0000
x25: ffff0000124a2558 x24: 0000000000000000
x23: ffff00001107a1d8 x22: ffff0000116b5088
x21: ffff800bdc6afca8 x20: ffff000012471ae8
x19: ffff00001168f2c8 x18: 0000000000000010
x17: 00000000fd6f304b x16: 00000000ee79de43
x15: ffff800bc0e80568 x14: 79616c6564203a74
x13: 6e6968207473696c x12: 5f72656d6974203a
x11: ffff0000113f0018 x10: 0000000000000000
x9 : 000000000000001f x8 : 0000000000000000
x7 : ffff0000101294cc x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001
x3 : 00000000ffffffff x2 : 0000000000000000
x1 : 387fc15c8ec0f200 x0 : 0000000000000000
Call trace:
debug_print_object+0xb0/0xf0
__debug_check_no_obj_freed+0x19c/0x228
debug_check_no_obj_freed+0x1c/0x28
kfree+0x250/0x440
put_i2c_dev+0x68/0x78
i2cdev_detach_adapter+0x60/0xc8
i2cdev_notifier_call+0x3c/0x70
notifier_call_chain+0x8c/0xe8
blocking_notifier_call_chain+0x64/0x88
device_del+0x74/0x380
device_unregister+0x54/0x78
i2c_del_adapter+0x278/0x2d0
unittest_i2c_bus_remove+0x3c/0x80
platform_drv_remove+0x30/0x50
device_release_driver_internal+0xf4/0x1c0
driver_detach+0x58/0xa0
bus_remove_driver+0x84/0xd8
driver_unregister+0x34/0x60
platform_driver_unregister+0x20/0x30
of_unittest_overlay+0x8d4/0xbe0
of_unittest+0xae8/0xb3c
do_one_initcall+0xac/0x450
do_initcall_level+0x208/0x224
kernel_init_freeable+0x2d8/0x36c
kernel_init+0x18/0x108
ret_from_fork+0x10/0x1c
irq event stamp: 3934661
hardirqs last enabled at (3934661): [<ffff00001009fa04>] debug_exception_exit+0x4c/0x58
hardirqs last disabled at (3934660): [<ffff00001009fb14>] debug_exception_enter+0xa4/0xe0
softirqs last enabled at (3934654): [<ffff000010081d94>] __do_softirq+0x46c/0x628
softirqs last disabled at (3934649): [<ffff0000100b4a1c>] irq_exit+0x104/0x118
This is a common issue when using cdev embedded in a struct.
Fortunately, we already have a mechanism to solve this kind of issue.
Please see commit 233ed09d7f ("chardev: add helper function to
register char devs with a struct device") for more detail.
In this patch, we choose to embed the struct device into the i2c_dev,
and use the API provided by the commit 233ed09d7f to make sure that
the release of i2c_dev and cdev are in sequence.
Signed-off-by: Kevin Hao <haokexin@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Pull i2c fixes from Wolfram Sang:
"A memleak fix for the core, two driver bugfixes, as well as fixing
missing file patterns to MAINTAINERS"
* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
MAINTAINERS: add I2C DT bindings to ARM platforms
MAINTAINERS: add DT bindings to i2c drivers
i2c: synquacer: fix synquacer_i2c_doxfer() return value
i2c: mlxcpld: Fix wrong initialization order in probe
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
Based on 3 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version [author] [kishon] [vijay] [abraham]
[i] [kishon]@[ti] [com] this program is distributed in the hope that
it will be useful but without any warranty without even the implied
warranty of merchantability or fitness for a particular purpose see
the gnu general public license for more details
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version [author] [graeme] [gregory]
[gg]@[slimlogic] [co] [uk] [author] [kishon] [vijay] [abraham] [i]
[kishon]@[ti] [com] [based] [on] [twl6030]_[usb] [c] [author] [hema]
[hk] [hemahk]@[ti] [com] this program is distributed in the hope
that it will be useful but without any warranty without even the
implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 1105 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Reviewed-by: Richard Fontana <rfontana@redhat.com>
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070033.202006027@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
If I2C_M_RECV_LEN check failed, msgs[i].buf allocated by memdup_user
will not be freed. Pump index up so it will be freed.
Fixes: 838bfa6049 ("i2c-dev: Add support for I2C_M_RECV_LEN")
Signed-off-by: Yingjoe Chen <yingjoe.chen@mediatek.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Actually, total amount of available minor number for a single major is
MINORMASK + 1. So expand minor range when registering chrdev region.
Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
[wsa: fixed typo in commit message]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
If adapter->retries is set to a minus value from user space via ioctl,
it will make __i2c_transfer and __i2c_smbus_xfer skip the calling to
adapter->algo->master_xfer and adapter->algo->smbus_xfer that is
registered by the underlying bus drivers, and return value 0 to all the
callers. The bus driver will never be accessed anymore by all users,
besides, the users may still get successful return value without any
error or information log print out.
If adapter->timeout is set to minus value from user space via ioctl,
it will make the retrying loop in __i2c_transfer and __i2c_smbus_xfer
always break after the the first try, due to the time_after always
returns true.
Signed-off-by: Yi Zeng <yizeng@asrmicro.com>
[wsa: minor grammar updates to commit message]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
i2cdev_ioctl_rdwr() allocates i2c_msg.buf using memdup_user(), which
returns ZERO_SIZE_PTR if i2c_msg.len is zero.
Currently i2cdev_ioctl_rdwr() always dereferences the buf pointer in case
of I2C_M_RD | I2C_M_RECV_LEN transfer. That causes a kernel oops in
case of zero len.
Let's check the len against zero before dereferencing buf pointer.
This issue was triggered by syzkaller.
Signed-off-by: Alexander Popov <alex.popov@linux.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[wsa: use '< 1' instead of '!' for easier readability]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
There is no code protecting i2c_dev to be freed after it is returned
from i2c_dev_get_by_minor() and using it to access the value which we
already have (minor) isn't safe really.
Avoid using it and get the adapter directly from 'minor'.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Tested-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
The call to put_i2c_dev() frees "i2c_dev" so there is a use after
free when we call cdev_del(&i2c_dev->cdev).
Fixes: d6760b14d4 ('i2c: dev: switch from register_chrdev to cdev API')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
I stumbled multiple times over 'return_i2c_dev', especially before the
actual 'return res'. It makes the code hard to read, so reanme the
function to 'put_i2c_dev' which also better matches 'get_free_i2c_dev'.
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
i2c-dev had never moved away from the older register_chrdev interface to
implement its char device registration. The register_chrdev API has the
limitation of enabling only up to 256 i2c-dev busses to exist.
Large platforms with lots of i2c devices (i.e. pluggable transceivers)
with dedicated busses may have to exceed that limit.
In particular, there are also platforms making use of the i2c bus
multiplexing API, which instantiates a virtual bus for each possible
multiplexed selection.
This patch removes the register_chrdev usage and replaces it with the
less old cdev API, which takes away the 256 i2c-dev bus limitation.
It should not have any other impact for i2c bus drivers or user space.
This patch has been tested on qemu x86 and qemu powerpc platforms with
the aid of a module which adds and removes 5000 virtual i2c busses, as
well as validated on an existing powerpc hardware platform which makes
use of the i2c bus multiplexing API.
i2c-dev busses with device minor numbers larger than 256 have also been
validated to work with the existing i2c-tools.
Signed-off-by: Erico Nunes <erico.nunes@datacom.ind.br>
[wsa: kept includes sorted]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
The first part of the comment is wrong since November 2007, delete it.
The second part of the comment is related to I2C_PEC, not I2C_SLAVE, so
move it where it belongs.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Cc: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
The ioctl is named I2C_RDWR for "I2C read/write". But references to it
were misspelled "rdrw". Fix them.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
The 'name' attribute is needed for all i2c-dev class devices, meaning
it can be created automatically by pointing to it in the class data
structure. This simplifies the code and reduces the probability for race
conditions (the name attribute should exist by the time the device is
announced to user space).
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
As the bus driver side implementation of I2C_M_RECV_LEN is heavily
tied to SMBus, we can't support received length over 32 bytes, but
let's at least support that.
In practice, the caller will have to setup a buffer large enough to
cover the case where received length byte has value 32, so minimum
32 + 1 = 33 bytes, possibly more if there is a fixed number of bytes
added for the specific slave (for example a checksum.)
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Tested-by: Douglas Gilbert <dgilbert@interlog.com>
Use memdup_user rather than duplicating its implementation.
This is a little bit restricted to reduce false positives.
The semantic patch that makes this output is available
in scripts/coccinelle/api/memdup_user.cocci.
More information about semantic patching is available at
http://coccinelle.lip6.fr/
Signed-off-by: Thomas Meyer <thomas@m3y3r.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
The function i2cdev_notifier_call is used only in i2c-dev file
making it static.
Also removes the following sparse warning
drivers/i2c/i2c-dev.c:582:5: warning: symbol 'i2cdev_notifier_call'
was not declared. Should it be static?
Signed-off-by: Shubhrajyoti D <shubhrajyoti@ti.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Use the standard driver core mechanism to keep track of i2c adapters
present on the system: i2c_for_each_dev and a notifier. This will let
us deprecate and ultimately remove the legacy attach_adapter and
detach_adapter callbacks in i2c_driver.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Add multiplexed bus core support. I2C multiplexer and switches
like pca954x get instantiated as new adapters per port.
Signed-off-by: Michael Lawnick <ml.lawnick@gmx.de>
Acked-by: Rodolfo Giometti <giometti@linux.it>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Use memdup_user when user data is immediately copied into the allocated
region. Note that in the second case, the ++i is no longer necessary, as
the last value is already freed if needed by the call to memdup_user.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression from,to,size,flag;
position p;
identifier l1,l2;
@@
- to = \(kmalloc@p\|kzalloc@p\)(size,flag);
+ to = memdup_user(from,size);
if (
- to==NULL
+ IS_ERR(to)
|| ...) {
<+... when != goto l1;
- -ENOMEM
+ PTR_ERR(to)
...+>
}
- if (copy_from_user(to, from, size) != 0) {
- <+... when != goto l2;
- -EFAULT
- ...+>
- }
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Fix all coding style issues found by checkpatch.pl.
Signed-off-by: Farid Hammane <farid.hammane@gmail.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
The private_data member of struct file is a void *, there is no need
to cast it.
Signed-off-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
The BKL is held over a kmalloc so cannot protect anything beyond that.
The two calls before the kmalloc have their own locking.
Improve device open function by removing the now unnecessary ret variable
Signed-off-by: Vincent Sanders <vince@simtec.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
The unit in which user-space can set the bus timeout value is jiffies
for historical reasons (back when HZ was always 100.) This is however
not good because user-space doesn't know how long a jiffy lasts. The
timeout value should instead be set in a fixed time unit. Given the
original value of HZ, this unit should be 10 ms, for compatibility.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Wolfram Sang <w.sang@pengutronix.de>
We need to convert the error pointer from class_create(), else we'll return the
successful return code from register_chrdev() on failure.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Fix various printk format strings where %zd was passed a size_t;
those should be %zu instead. (Courtesy of a version of GCC which
warns when these details are wrong.)
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
device_create() is race-prone, so use the race-free
device_create_drvdata() instead as device_create() is going away.
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* 'i2c-for-linus' of git://jdelvare.pck.nerim.net/jdelvare-2.6: (56 commits)
i2c: Add detection capability to new-style drivers
i2c: Call client_unregister for new-style devices too
i2c: Clean up old chip drivers
i2c-ibm_iic: Register child nodes
i2c: New-style EEPROM driver using device IDs
i2c: Export the i2c_bus_type symbol
i2c-au1550: Fix PM support
i2c-dev: Delete empty detach_client callback
i2c: Drop stray references to lm_sensors
i2c: Check for ACPI resource conflicts
i2c-ocores: basic PM support
i2c-sibyte: SWARM I2C board initialization
i2c-i801: Fix handling of error conditions
i2c-i801: Rename local variable temp to status
i2c-i801: Properly report bus arbitration loss
i2c-i801: Remove verbose debugging messages
i2c-algo-pcf: Drop unused struct members
i2c-algo-pcf: Multi-master lost-arbitration improvement
i2c: Deprecate the legacy gpio drivers
i2c-pxa: Initialize early
...
Implementing detach_client is optional, so there is no point in
an empty implementation.
Likewise, i2c driver IDs are optional, and we don't need one.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
This is part of the effort to get rid of the BKL.
[JD: In fact i2c-dev doesn't need more locking than is already done
for the other i2c drivers, so we can simply switch to unlocked_ioctl.]
Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>