From 24990423267ec283b9d86f07f362b753eb9b0ed5 Mon Sep 17 00:00:00 2001

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

Date: Wed, 26 May 2021 08:39:37 -0400

Subject: [PATCH] i2c: s3c2410: fix possible NULL pointer deref on read message after write

Git-commit: 24990423267ec283b9d86f07f362b753eb9b0ed5

Patch-mainline: v5.13-rc4

References: git-fixes

Interrupt handler processes multiple message write requests one after

another, till the driver message queue is drained.  However if driver

encounters a read message without preceding START, it stops the I2C

transfer as it is an invalid condition for the controller.  At least the

comment describes a requirement "the controller forces us to send a new

START when we change direction".  This stop results in clearing the

message queue (i2c->msg = NULL).

The code however immediately jumped back to label "retry_write" which

dereferenced the "i2c->msg" making it a possible NULL pointer

dereference.

The Coverity analysis:

1. Condition !is_msgend(i2c), taking false branch.

   if (!is_msgend(i2c)) {

2. Condition !is_lastmsg(i2c), taking true branch.

   } else if (!is_lastmsg(i2c)) {

3. Condition i2c->msg->flags & 1, taking true branch.

   if (i2c->msg->flags & I2C_M_RD) {

4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL.

   s3c24xx_i2c_stop(i2c, -EINVAL);

5. Jumping to label retry_write.

   goto retry_write;

6. var_deref_model: Passing i2c to is_msgend, which dereferences null i2c->msg.

   if (!is_msgend(i2c)) {"

All previous calls to s3c24xx_i2c_stop() in this interrupt service

routine are followed by jumping to end of function (acknowledging

the interrupt and returning).  This seems a reasonable choice also here

since message buffer was entirely emptied.

Addresses-coverity: Explicit null dereferenced

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

Signed-off-by: Wolfram Sang <wsa@kernel.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/i2c/busses/i2c-s3c2410.c | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c

index ab928613afba..4d82761e1585 100644

--- a/drivers/i2c/busses/i2c-s3c2410.c

+++ b/drivers/i2c/busses/i2c-s3c2410.c

@@ -480,7 +480,10 @@ static int i2c_s3c_irq_nextbyte(struct s3c24xx_i2c *i2c, unsigned long iicstat)

 					 * forces us to send a new START

 					 * when we change direction

 					 */

+					dev_dbg(i2c->dev,

+						"missing START before write->read\n");

 					s3c24xx_i2c_stop(i2c, -EINVAL);

+					break;

 				}

 				goto retry_write;

-- 

2.26.2