15 Feb, 2019
1 commit
-
Actually, total amount of available minor number for a single major is
MINORMASK + 1. So expand minor range when registering chrdev region.Signed-off-by: Chengguang Xu
[wsa: fixed typo in commit message]
Signed-off-by: Wolfram Sang
11 Jan, 2019
1 commit
-
If adapter->retries is set to a minus value from user space via ioctl,
it will make __i2c_transfer and __i2c_smbus_xfer skip the calling to
adapter->algo->master_xfer and adapter->algo->smbus_xfer that is
registered by the underlying bus drivers, and return value 0 to all the
callers. The bus driver will never be accessed anymore by all users,
besides, the users may still get successful return value without any
error or information log print out.If adapter->timeout is set to minus value from user space via ioctl,
it will make the retrying loop in __i2c_transfer and __i2c_smbus_xfer
always break after the the first try, due to the time_after always
returns true.Signed-off-by: Yi Zeng
[wsa: minor grammar updates to commit message]
Signed-off-by: Wolfram Sang
Cc: stable@kernel.org
13 Jun, 2018
1 commit
-
The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:kmalloc(a * b, gfp)
with:
kmalloc_array(a * b, gfp)as well as handling cases of:
kmalloc(a * b * c, gfp)
with:
kmalloc(array3_size(a, b, c), gfp)
as it's slightly less ugly than:
kmalloc_array(array_size(a, b), c, gfp)
This does, however, attempt to ignore constant size factors like:
kmalloc(4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@(
kmalloc(
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
kmalloc(
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@(
kmalloc(
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@(
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_ID)
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_ID
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_CONST)
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_CONST
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_ID)
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_ID
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_CONST)
+ COUNT_CONST, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_CONST
+ COUNT_CONST, sizeof(THING)
, ...)
)// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@- kmalloc
+ kmalloc_array
(
- SIZE * COUNT
+ COUNT, SIZE
, ...)// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@(
kmalloc(
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@(
kmalloc(
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@(
kmalloc(
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@(
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(
- (E1) * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * (E3)
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@(
kmalloc(sizeof(THING) * C2, ...)
|
kmalloc(sizeof(TYPE) * C2, ...)
|
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (E2)
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * E2
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (E2)
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * E2
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * E2
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * (E2)
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- E1 * E2
+ E1, E2
, ...)
)Signed-off-by: Kees Cook
27 Apr, 2018
1 commit
-
i2cdev_ioctl_rdwr() allocates i2c_msg.buf using memdup_user(), which
returns ZERO_SIZE_PTR if i2c_msg.len is zero.Currently i2cdev_ioctl_rdwr() always dereferences the buf pointer in case
of I2C_M_RD | I2C_M_RECV_LEN transfer. That causes a kernel oops in
case of zero len.Let's check the len against zero before dereferencing buf pointer.
This issue was triggered by syzkaller.
Signed-off-by: Alexander Popov
Reviewed-by: Uwe Kleine-König
[wsa: use '< 1' instead of '!' for easier readability]
Signed-off-by: Wolfram Sang
04 Dec, 2017
1 commit
-
Reviewed-by: Jonathan Cameron
Signed-off-by: Wolfram Sang
Signed-off-by: Wolfram Sang
20 Sep, 2017
1 commit
-
Signed-off-by: Al Viro
13 Jan, 2017
1 commit
-
i2c_smbus_xfer() does not always fill an entire block, allowing
kernel stack memory disclosure through the temp variable. Clear
it before it's read to.Signed-off-by: Vlad Tsyrklevich
Signed-off-by: Wolfram Sang
Cc: stable@kernel.org
08 Jul, 2016
1 commit
-
There is no code protecting i2c_dev to be freed after it is returned
from i2c_dev_get_by_minor() and using it to access the value which we
already have (minor) isn't safe really.Avoid using it and get the adapter directly from 'minor'.
Signed-off-by: Viresh Kumar
Reviewed-by: Jean Delvare
Tested-by: Jean Delvare
Signed-off-by: Wolfram Sang
28 May, 2016
1 commit
-
The call to put_i2c_dev() frees "i2c_dev" so there is a use after
free when we call cdev_del(&i2c_dev->cdev).Fixes: d6760b14d4a1 ('i2c: dev: switch from register_chrdev to cdev API')
Signed-off-by: Dan Carpenter
Signed-off-by: Wolfram Sang
27 May, 2016
2 commits
-
I stumbled multiple times over 'return_i2c_dev', especially before the
actual 'return res'. It makes the code hard to read, so reanme the
function to 'put_i2c_dev' which also better matches 'get_free_i2c_dev'.Signed-off-by: Wolfram Sang
-
i2c-dev had never moved away from the older register_chrdev interface to
implement its char device registration. The register_chrdev API has the
limitation of enabling only up to 256 i2c-dev busses to exist.Large platforms with lots of i2c devices (i.e. pluggable transceivers)
with dedicated busses may have to exceed that limit.
In particular, there are also platforms making use of the i2c bus
multiplexing API, which instantiates a virtual bus for each possible
multiplexed selection.This patch removes the register_chrdev usage and replaces it with the
less old cdev API, which takes away the 256 i2c-dev bus limitation.
It should not have any other impact for i2c bus drivers or user space.This patch has been tested on qemu x86 and qemu powerpc platforms with
the aid of a module which adds and removes 5000 virtual i2c busses, as
well as validated on an existing powerpc hardware platform which makes
use of the i2c bus multiplexing API.
i2c-dev busses with device minor numbers larger than 256 have also been
validated to work with the existing i2c-tools.Signed-off-by: Erico Nunes
[wsa: kept includes sorted]
Signed-off-by: Wolfram Sang
21 Feb, 2016
1 commit
-
I request this for drivers, so the core should adhere to sorted includes as
well.Signed-off-by: Wolfram Sang
24 Oct, 2015
2 commits
-
The first part of the comment is wrong since November 2007, delete it.
The second part of the comment is related to I2C_PEC, not I2C_SLAVE, so
move it where it belongs.Signed-off-by: Jean Delvare
Cc: Wolfram Sang
Signed-off-by: Wolfram Sang -
The ioctl is named I2C_RDWR for "I2C read/write". But references to it
were misspelled "rdrw". Fix them.Signed-off-by: Jean Delvare
Signed-off-by: Wolfram Sang
08 Nov, 2014
1 commit
-
We have a central copy of the GPL for that. Some addresses were already
outdated.Signed-off-by: Wolfram Sang
30 Sep, 2013
1 commit
-
The 'name' attribute is needed for all i2c-dev class devices, meaning
it can be created automatically by pointing to it in the class data
structure. This simplifies the code and reduces the probability for race
conditions (the name attribute should exist by the time the device is
announced to user space).Signed-off-by: Guenter Roeck
Signed-off-by: Wolfram Sang
23 Feb, 2013
1 commit
-
Signed-off-by: Al Viro
30 May, 2012
1 commit
-
As the bus driver side implementation of I2C_M_RECV_LEN is heavily
tied to SMBus, we can't support received length over 32 bytes, but
let's at least support that.In practice, the caller will have to setup a buffer large enough to
cover the case where received length byte has value 32, so minimum
32 + 1 = 33 bytes, possibly more if there is a fixed number of bytes
added for the specific slave (for example a checksum.)Signed-off-by: Jean Delvare
Tested-by: Douglas Gilbert
27 Mar, 2012
1 commit
-
Signed-off-by: Jean Delvare
13 Jan, 2012
1 commit
-
Use memdup_user rather than duplicating its implementation.
This is a little bit restricted to reduce false positives.The semantic patch that makes this output is available
in scripts/coccinelle/api/memdup_user.cocci.More information about semantic patching is available at
http://coccinelle.lip6.fr/Signed-off-by: Thomas Meyer
Signed-off-by: Jean Delvare
23 Nov, 2011
1 commit
-
The function i2cdev_notifier_call is used only in i2c-dev file
making it static.
Also removes the following sparse warningdrivers/i2c/i2c-dev.c:582:5: warning: symbol 'i2cdev_notifier_call'
was not declared. Should it be static?Signed-off-by: Shubhrajyoti D
Signed-off-by: Jean Delvare
20 Mar, 2011
1 commit
-
Use the standard driver core mechanism to keep track of i2c adapters
present on the system: i2c_for_each_dev and a notifier. This will let
us deprecate and ultimately remove the legacy attach_adapter and
detach_adapter callbacks in i2c_driver.Signed-off-by: Jean Delvare
25 Oct, 2010
1 commit
-
This makes the calling site's code clearer IMHO.
Signed-off-by: Jean Delvare
Acked-by: Michael Lawnick
12 Aug, 2010
3 commits
-
Add multiplexed bus core support. I2C multiplexer and switches
like pca954x get instantiated as new adapters per port.Signed-off-by: Michael Lawnick
Acked-by: Rodolfo Giometti
Signed-off-by: Jean Delvare -
Use memdup_user when user data is immediately copied into the allocated
region. Note that in the second case, the ++i is no longer necessary, as
the last value is already freed if needed by the call to memdup_user.The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)//
@@
expression from,to,size,flag;
position p;
identifier l1,l2;
@@- to = \(kmalloc@p\|kzalloc@p\)(size,flag);
+ to = memdup_user(from,size);
if (
- to==NULL
+ IS_ERR(to)
|| ...) {
}
- if (copy_from_user(to, from, size) != 0) {
-
- }
//Signed-off-by: Julia Lawall
Signed-off-by: Jean Delvare -
Signed-off-by: Joe Perches
Signed-off-by: Jean Delvare
22 May, 2010
2 commits
-
Fix all coding style issues found by checkpatch.pl.
Signed-off-by: Farid Hammane
Signed-off-by: Jean Delvare -
The private_data member of struct file is a void *, there is no need
to cast it.Signed-off-by: H Hartley Sweeten
Signed-off-by: Jean Delvare
07 Dec, 2009
1 commit
-
The BKL is held over a kmalloc so cannot protect anything beyond that.
The two calls before the kmalloc have their own locking.
Improve device open function by removing the now unnecessary ret variableSigned-off-by: Vincent Sanders
Signed-off-by: Thomas Gleixner
Signed-off-by: Jean Delvare
25 Feb, 2009
1 commit
-
The unit in which user-space can set the bus timeout value is jiffies
for historical reasons (back when HZ was always 100.) This is however
not good because user-space doesn't know how long a jiffy lasts. The
timeout value should instead be set in a fixed time unit. Given the
original value of HZ, this unit should be 10 ms, for compatibility.Signed-off-by: Jean Delvare
Acked-by: Wolfram Sang
17 Oct, 2008
1 commit
-
Now that device_create() has been audited, rename things back to the
original call to be sane.Signed-off-by: Greg Kroah-Hartman
24 Sep, 2008
1 commit
-
We need to convert the error pointer from class_create(), else we'll return the
successful return code from register_chrdev() on failure.Signed-off-by: Sven Wegener
Signed-off-by: Jean Delvare
11 Aug, 2008
1 commit
-
Fix various printk format strings where %zd was passed a size_t;
those should be %zu instead. (Courtesy of a version of GCC which
warns when these details are wrong.)Signed-off-by: David Brownell
Signed-off-by: Jean Delvare
22 Jul, 2008
1 commit
-
device_create() is race-prone, so use the race-free
device_create_drvdata() instead as device_create() is going away.Cc: Jean Delvare
Signed-off-by: Greg Kroah-Hartman
16 Jul, 2008
1 commit
-
* 'i2c-for-linus' of git://jdelvare.pck.nerim.net/jdelvare-2.6: (56 commits)
i2c: Add detection capability to new-style drivers
i2c: Call client_unregister for new-style devices too
i2c: Clean up old chip drivers
i2c-ibm_iic: Register child nodes
i2c: New-style EEPROM driver using device IDs
i2c: Export the i2c_bus_type symbol
i2c-au1550: Fix PM support
i2c-dev: Delete empty detach_client callback
i2c: Drop stray references to lm_sensors
i2c: Check for ACPI resource conflicts
i2c-ocores: basic PM support
i2c-sibyte: SWARM I2C board initialization
i2c-i801: Fix handling of error conditions
i2c-i801: Rename local variable temp to status
i2c-i801: Properly report bus arbitration loss
i2c-i801: Remove verbose debugging messages
i2c-algo-pcf: Drop unused struct members
i2c-algo-pcf: Multi-master lost-arbitration improvement
i2c: Deprecate the legacy gpio drivers
i2c-pxa: Initialize early
...
15 Jul, 2008
2 commits
-
Implementing detach_client is optional, so there is no point in
an empty implementation.Likewise, i2c driver IDs are optional, and we don't need one.
Signed-off-by: Jean Delvare
-
This is part of the effort to get rid of the BKL.
[JD: In fact i2c-dev doesn't need more locking than is already done
for the other i2c drivers, so we can simply switch to unlocked_ioctl.]Signed-off-by: Alan Cox
Signed-off-by: Jean Delvare
19 May, 2008
1 commit
-
Signed-off-by: Jonathan Corbet
23 Apr, 2008
1 commit
-
Split the handling of the I2C_RDWR and I2C_SMBUS ioctls to their own
functions. This limits the stack usage, saves one level of indentation
and makes the code more readable.Signed-off-by: Jean Delvare
28 Jan, 2008
1 commit
-
The i2c_adapter.clients list of i2c_client nodes duplicates driver
model state. This patch starts removing that list, letting us remove
most existing users of those i2c-core lists.* The core I2C code now iterates over the driver model's list instead
of the i2c-internal one in some places where it's safe:
- Passing a command/ioctl to each client, a mechanims
used almost exclusively by DVB adapters;
- Device address checking, in both i2c-core and i2c-dev.* Provide i2c_verify_client() to use with driver model iterators.
* Flag the relevant i2c_adapter and i2c_client fields as deprecated,
to help prevent new users from appearing.For the moment the list needs to stick around, since some issues show
up when deleting devices created by legacy I2C drivers. (They don't
follow standard driver model rules. Removing those devices can cause
self-deadlocks.)Signed-off-by: David Brownell
Signed-off-by: Jean Delvare
