From patchwork Sat May 16 13:08:29 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu Castet X-Patchwork-Id: 24254 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n4GD6vDh013283 for ; Sat, 16 May 2009 13:08:43 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756077AbZEPNIj (ORCPT ); Sat, 16 May 2009 09:08:39 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1756160AbZEPNIj (ORCPT ); Sat, 16 May 2009 09:08:39 -0400 Received: from smtp6-g21.free.fr ([212.27.42.6]:42261 "EHLO smtp6-g21.free.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756077AbZEPNIj (ORCPT ); Sat, 16 May 2009 09:08:39 -0400 Received: from smtp6-g21.free.fr (localhost [127.0.0.1]) by smtp6-g21.free.fr (Postfix) with ESMTP id 25ABFE08033; Sat, 16 May 2009 15:08:32 +0200 (CEST) Received: from [192.168.0.3] (cac94-1-81-57-151-96.fbx.proxad.net [81.57.151.96]) by smtp6-g21.free.fr (Postfix) with ESMTP id 8D9E0E080C5; Sat, 16 May 2009 15:08:29 +0200 (CEST) Message-ID: <4A0EBACD.6070601@free.fr> Date: Sat, 16 May 2009 15:08:29 +0200 From: matthieu castet User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081204 Iceape/1.1.14 (Debian-1.1.14-1) MIME-Version: 1.0 To: Patrick Boettcher CC: Mauro Carvalho Chehab , linux-media@vger.kernel.org, DVB list Subject: [PATCH] DIBUSB_MC : fix i2c to not corrupt eeprom in case of strange read pattern References: <484A72D3.7070500@free.fr> <4974E4BE.2060107@free.fr> <20090129074735.76e07d47@caramujo.chehab.org> <49820C26.5090309@free.fr> <498215A8.3020203@free.fr> In-Reply-To: <498215A8.3020203@free.fr> Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org Hi, dibusb_i2c_xfer seems to do things very dangerous : it assumes that it get only write/read request or write request. That means that read can be understood as write. For example a program doing file = open("/dev/i2c-x", O_RDWR); ioctl(file, I2C_SLAVE, 0x50) read(file, data, 10) will corrupt the eeprom as it will be understood as a write. I attach a possible (untested) patch. Matthieu Signed-off-by: Matthieu CASTET Signed-off-by: Matthieu CASTET Index: linux-2.6/drivers/media/dvb/dvb-usb/dibusb-common.c =================================================================== --- linux-2.6.orig/drivers/media/dvb/dvb-usb/dibusb-common.c 2009-02-09 20:36:03.000000000 +0100 +++ linux-2.6/drivers/media/dvb/dvb-usb/dibusb-common.c 2009-02-09 20:38:21.000000000 +0100 @@ -133,14 +133,18 @@ for (i = 0; i < num; i++) { /* write/read request */ - if (i+1 < num && (msg[i+1].flags & I2C_M_RD)) { + if (i+1 < num && (msg[i].flags & I2C_M_RD) == 0 + && (msg[i+1].flags & I2C_M_RD)) { if (dibusb_i2c_msg(d, msg[i].addr, msg[i].buf,msg[i].len, msg[i+1].buf,msg[i+1].len) < 0) break; i++; - } else + } else if ((msg[i].flags & I2C_M_RD) == 0) { if (dibusb_i2c_msg(d, msg[i].addr, msg[i].buf,msg[i].len,NULL,0) < 0) break; + } + else + break; } mutex_unlock(&d->i2c_mutex);