Re: [PATCH 2/4] usb: typec: ucsi: stm32g0: add support for stm32g0 i2c controller

From: Christophe JAILLET
Date: Sat Jun 25 2022 - 02:38:02 EST


Le 24/06/2022 à 17:54, Fabrice Gasnier a écrit :
STM32G0 provides an integrated USB Type-C and power delivery interface.
It can be programmed with a firmware to handle UCSI protocol over I2C
interface. A GPIO is used as an interrupt line.

Signed-off-by: Fabrice Gasnier <fabrice.gasnier-rj0Iel/JR4NBDgjK7y7TUQ@xxxxxxxxxxxxxxxx>
---
drivers/usb/typec/ucsi/Kconfig | 10 ++
drivers/usb/typec/ucsi/Makefile | 1 +
drivers/usb/typec/ucsi/ucsi_stm32g0.c | 218 ++++++++++++++++++++++++++
3 files changed, 229 insertions(+)
create mode 100644 drivers/usb/typec/ucsi/ucsi_stm32g0.c


[...]

+static int ucsi_stm32g0_async_write(struct ucsi *ucsi, unsigned int offset, const void *val,
+ size_t len)
+{
+ struct ucsi_stm32g0 *g0 = ucsi_get_drvdata(ucsi);
+ struct i2c_client *client = g0->client;
+ struct i2c_msg msg[] = {
+ {
+ .addr = client->addr,
+ .flags = 0,
+ }
+ };
+ unsigned char *buf;
+ int ret;
+
+ buf = kzalloc(len + 1, GFP_KERNEL);

Hi,

Nit: kmalloc() would be enough here, the whole buffer is written just a few lines after.

+ if (!buf)
+ return -ENOMEM;
+
+ buf[0] = offset;
+ memcpy(&buf[1], val, len);
+ msg[0].len = len + 1;
+ msg[0].buf = buf;
+
+ ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg));
+ kfree(buf);
+ if (ret != ARRAY_SIZE(msg)) {
+ dev_err(g0->dev, "i2c write %02x, %02x error: %d\n", client->addr, buf[0], ret);

Use-after-free of buf.

+
+ return ret < 0 ? ret : -EIO;
+ }
+
+ return 0;
+}
+

Just my 2c,
CJ

[...]