linux-stable/drivers/i2c
Vincent Whitchurch b503de239f i2c: virtio: fix completion handling
The driver currently assumes that the notify callback is only received
when the device is done with all the queued buffers.

However, this is not true, since the notify callback could be called
without any of the queued buffers being completed (for example, with
virtio-pci and shared interrupts) or with only some of the buffers being
completed (since the driver makes them available to the device in
multiple separate virtqueue_add_sgs() calls).

This can lead to incorrect data on the I2C bus or memory corruption in
the guest if the device operates on buffers which are have been freed by
the driver.  (The WARN_ON in the driver is also triggered.)

 BUG kmalloc-128 (Tainted: G        W        ): Poison overwritten
 First byte 0x0 instead of 0x6b
 Allocated in i2cdev_ioctl_rdwr+0x9d/0x1de age=243 cpu=0 pid=28
 	memdup_user+0x2e/0xbd
 	i2cdev_ioctl_rdwr+0x9d/0x1de
 	i2cdev_ioctl+0x247/0x2ed
 	vfs_ioctl+0x21/0x30
 	sys_ioctl+0xb18/0xb41
 Freed in i2cdev_ioctl_rdwr+0x1bb/0x1de age=68 cpu=0 pid=28
 	kfree+0x1bd/0x1cc
 	i2cdev_ioctl_rdwr+0x1bb/0x1de
 	i2cdev_ioctl+0x247/0x2ed
 	vfs_ioctl+0x21/0x30
 	sys_ioctl+0xb18/0xb41

Fix this by calling virtio_get_buf() from the notify handler like other
virtio drivers and by actually waiting for all the buffers to be
completed.

Fixes: 3cfc883804 ("i2c: virtio: add a virtio i2c frontend driver")
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
2021-12-09 09:49:58 +01:00
..
algos i2c: algo: bit: use new macro to specifiy capabilities 2021-01-22 09:59:21 +01:00
busses i2c: virtio: fix completion handling 2021-12-09 09:49:58 +01:00
muxes i2c: muxes: i2c-arb-gpio-challenge: Demote non-conformant kernel-doc headers 2021-05-27 21:29:03 +02:00
i2c-boardinfo.c i2c: Remove support for dangling device properties 2021-04-10 21:43:02 +02:00
i2c-core-acpi.c More ACPI updates for 5.16-rc1 2021-11-10 11:52:40 -08:00
i2c-core-base.c i2c: Allow an ACPI driver to manage the device's power state during probe 2021-11-03 19:03:55 +01:00
i2c-core-of.c i2c: use my kernel.org address from now on 2020-05-05 16:29:09 +02:00
i2c-core-slave.c i2c: slave: add sanity check when unregistering 2020-07-28 18:37:17 +02:00
i2c-core-smbus.c i2c: core-smbus: Expose PEC calculate function for generic use 2021-06-25 17:09:34 +02:00
i2c-core.h i2c: acpi: Remove dead code, i.e. i2c_acpi_match_device() 2020-08-25 09:22:09 +02:00
i2c-dev.c Merge branch 'i2c/for-mergewindow' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2021-08-31 14:34:01 -07:00
i2c-mux.c i2c: mux: add sysfs header 2019-06-22 07:32:33 +02:00
i2c-slave-eeprom.c i2c: busses: Use fallthrough pseudo-keyword 2020-07-23 22:04:08 +02:00
i2c-slave-testunit.c i2c: testunit: add support for block process calls 2021-02-12 11:11:04 +01:00
i2c-smbus.c i2c: smbus: add core function handling SMBus host-notify 2020-09-09 10:38:28 +02:00
i2c-stub.c i2c: stub: remove definition of DEBUG 2021-01-17 13:00:10 +01:00
Kconfig i2c: add slave testunit driver 2020-09-21 11:02:17 +02:00
Makefile i2c: add slave testunit driver 2020-09-21 11:02:17 +02:00