From e4d8716c3dcec47f1557024add24e1f3c09eb24b Mon Sep 17 00:00:00 2001

From: Jean Delvare <jdelvare@suse.de>

Date: Tue, 25 May 2021 17:03:36 +0200

Subject: [PATCH] i2c: i801: Don't generate an interrupt on bus reset

Git-commit: e4d8716c3dcec47f1557024add24e1f3c09eb24b

Patch-mainline: v5.13-rc4

References: git-fixes

Now that the i2c-i801 driver supports interrupts, setting the KILL bit

in a attempt to recover from a timed out transaction triggers an

interrupt. Unfortunately, the interrupt handler (i801_isr) is not

prepared for this situation and will try to process the interrupt as

if it was signaling the end of a successful transaction. In the case

of a block transaction, this can result in an out-of-range memory

access.

This condition was reproduced several times by syzbot:

https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e

https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e

https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e

https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb

https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a

https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79

So disable interrupts while trying to reset the bus. Interrupts will

be enabled again for the following transaction.

Fixes: 636752bcb517 ("i2c-i801: Enable IRQ for SMBus transactions")

Reported-by: syzbot+b4d3fd1dfd53e90afd79@syzkaller.appspotmail.com

Signed-off-by: Jean Delvare <jdelvare@suse.de>

Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

Cc: Jarkko Nikula <jarkko.nikula@linux.intel.com>

Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>

Signed-off-by: Wolfram Sang <wsa@kernel.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/i2c/busses/i2c-i801.c | 6 ++----

 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c

index 99d446763530..f9e1c2ceaac0 100644

--- a/drivers/i2c/busses/i2c-i801.c

+++ b/drivers/i2c/busses/i2c-i801.c

@@ -395,11 +395,9 @@ static int i801_check_post(struct i801_priv *priv, int status)

 		dev_err(&priv->pci_dev->dev, "Transaction timeout\n");

 		/* try to stop the current command */

 		dev_dbg(&priv->pci_dev->dev, "Terminating the current operation\n");

-		outb_p(inb_p(SMBHSTCNT(priv)) | SMBHSTCNT_KILL,

-		       SMBHSTCNT(priv));

+		outb_p(SMBHSTCNT_KILL, SMBHSTCNT(priv));

 		usleep_range(1000, 2000);

-		outb_p(inb_p(SMBHSTCNT(priv)) & (~SMBHSTCNT_KILL),

-		       SMBHSTCNT(priv));

+		outb_p(0, SMBHSTCNT(priv));

 		/* Check if it worked */

 		status = inb_p(SMBHSTSTS(priv));

-- 

2.26.2