On Tue, May 25, 2021 at 05:03:36PM +0200, Jean Delvare wrote: > Now that the i2c-i801 driver supports interrupts, setting the KILL bit > in a attempt to recover from a timed out transaction triggers an > interrupt. Unfortunately, the interrupt handler (i801_isr) is not > prepared for this situation and will try to process the interrupt as > if it was signaling the end of a successful transaction. In the case > of a block transaction, this can result in an out-of-range memory > access. > > This condition was reproduced several times by syzbot: > https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e > https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e > https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e > https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb > https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a > https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 > > So disable interrupts while trying to reset the bus. Interrupts will > be enabled again for the following transaction. > > Fixes: 636752bcb517 ("i2c-i801: Enable IRQ for SMBus transactions") > Reported-by: syzbot+b4d3fd1dfd53e90afd79@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Jean Delvare <jdelvare@xxxxxxx> > Acked-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx> > Cc: Jarkko Nikula <jarkko.nikula@xxxxxxxxxxxxxxx> Applied to for-current, thanks!
Attachment:
signature.asc
Description: PGP signature