i2c: i801: fix potential race in i801_block_transaction_byte_by_byte

commit f78ca48a8ba9cdec96e8839351e49eec3233b177 upstream.

Currently we set SMBHSTCNT_LAST_BYTE only after the host has started
receiving the last byte. If we get e.g. preempted before setting
SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte
before SMBHSTCNT_LAST_BYTE is set.
Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing
SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code
is also consistent with what we do in i801_isr_byte_done().

Reported-by: Jean Delvare <jdelvare@suse.com>
Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/
Cc: stable@vger.kernel.org
Acked-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
index 89631fd..a87e3c1 100644 (file)
--- a/drivers/i2c/busses/i2c-i801.c
+++ b/drivers/i2c/busses/i2c-i801.c
@@ -681,15 +681,11 @@ static int i801_block_transaction_byte_by_byte(struct i801_priv *priv,
                return result ? priv->status : -ETIMEDOUT;
        }
 
-       for (i = 1; i <= len; i++) {
-               if (i == len && read_write == I2C_SMBUS_READ)
-                       smbcmd |= SMBHSTCNT_LAST_BYTE;
-               outb_p(smbcmd, SMBHSTCNT(priv));
-
-               if (i == 1)
-                       outb_p(inb(SMBHSTCNT(priv)) | SMBHSTCNT_START,
-                              SMBHSTCNT(priv));
+       if (len == 1 && read_write == I2C_SMBUS_READ)
+               smbcmd |= SMBHSTCNT_LAST_BYTE;
+       outb_p(smbcmd | SMBHSTCNT_START, SMBHSTCNT(priv));
 
+       for (i = 1; i <= len; i++) {
                status = i801_wait_byte_done(priv);
                if (status)
                        return status;
@@ -712,9 +708,12 @@ static int i801_block_transaction_byte_by_byte(struct i801_priv *priv,
                        data->block[0] = len;
                }
 
-               /* Retrieve/store value in SMBBLKDAT */
-               if (read_write == I2C_SMBUS_READ)
+               if (read_write == I2C_SMBUS_READ) {
                        data->block[i] = inb_p(SMBBLKDAT(priv));
+                       if (i == len - 1)
+                               outb_p(smbcmd | SMBHSTCNT_LAST_BYTE, SMBHSTCNT(priv));
+               }
+
                if (read_write == I2C_SMBUS_WRITE && i+1 <= len)
                        outb_p(data->block[i+1], SMBBLKDAT(priv));