From: Akhil R akhilrajeev@nvidia.com
[ Upstream commit a6e04f05ce0b070ab39d5775580e65c7d943da0b ]
For SMBUS block read, do not continue to read if the message length passed from the device is '0' or greater than the maximum allowed bytes.
Signed-off-by: Akhil R akhilrajeev@nvidia.com Acked-by: Thierry Reding treding@nvidia.com Link: https://lore.kernel.org/r/20250424053320.19211-1-akhilrajeev@nvidia.com Signed-off-by: Andi Shyti andi.shyti@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
Based on my analysis of both the commit message, code changes, and the kernel tree context, here is my assessment: **YES** This commit should be backported to stable kernel trees for the following reasons: ## Analysis of Code Changes The commit adds a critical validation check for SMBUS block read operations: ```c /bin /bin.usr-is-merged /boot /dev /etc /home /init /lib /lib.usr-is-merged /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /sbin.usr-is-merged /snap /srv /sys /tmp /usr /var Validate message length before proceeding linux/ if (msgs[i].buf[0] == 0 || msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX) break; ``` ## Why This Should Be Backported: ### 1. **Security and Data Integrity Protection** The change prevents two critical issues: - **Buffer overflow protection**: Without this check, a malicious or faulty device could specify a block length > 32 bytes (I2C_SMBUS_BLOCK_MAX), causing the driver to read beyond allocated buffer boundaries - **Zero-length validation**: Prevents processing zero-length blocks which could cause undefined behavior in subsequent operations ### 2. **Clear Bug Fix Nature** This is a straightforward bug fix that: - Adds missing input validation for a critical path - Uses existing constants (I2C_SMBUS_BLOCK_MAX = 32) - Follows validation patterns used in other I2C drivers - Is confined to a single, well-understood code path ### 3. **Minimal Risk and Contained Change** - Only 3 lines of code added - Simple conditional check with well-defined behavior - No architectural changes or new features - Limited to SMBUS block read functionality in Tegra I2C driver ### 4. **Alignment with Stable Tree Criteria** Examining the similar commits provided: - **Similar Commit #2** (YES status): Also a bug fix for SMBUS block read functionality - **Similar Commit #4** (YES status): Simple validation improvement using core functionality - Both demonstrate that contained I2C validation fixes are appropriate for backporting ### 5. **Critical Subsystem Protection** I2C is a fundamental communication protocol used throughout embedded systems. SMBUS block reads are commonly used for: - Battery management systems - Temperature sensors - EEPROM access - Hardware monitoring Unvalidated block lengths could lead to system instability or security vulnerabilities. ### 6. **Follows Precedent** The commit references fixing behavior "for SMBUS block read" - this type of protocol-specific validation fix has been consistently backported in similar scenarios. ## Risk Assessment: **LOW** - Simple validation addition - Well-tested I2C constant (I2C_SMBUS_BLOCK_MAX) - Fail-safe behavior (breaks loop on invalid input) - No impact on valid use cases This commit represents exactly the type of important, low-risk bug fix that stable trees are designed to include.
drivers/i2c/busses/i2c-tegra.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c index 1df5b42041427..89ce8a62b37c6 100644 --- a/drivers/i2c/busses/i2c-tegra.c +++ b/drivers/i2c/busses/i2c-tegra.c @@ -1395,6 +1395,11 @@ static int tegra_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], ret = tegra_i2c_xfer_msg(i2c_dev, &msgs[i], MSG_END_CONTINUE); if (ret) break; + + /* Validate message length before proceeding */ + if (msgs[i].buf[0] == 0 || msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX) + break; + /* Set the msg length from first byte */ msgs[i].len += msgs[i].buf[0]; dev_dbg(i2c_dev->dev, "reading %d bytes\n", msgs[i].len);