diff options
| author |   Abdurrahman Hussain <abdurrahman@nexthop.ai> | 2026-05-18 17:52:27 -0700 |
|---|---|---|
| committer |   Guenter Roeck <linux@roeck-us.net> | 2026-05-21 06:59:46 -0700 |
| commit | a7232f68c43ca62f545049b7f5fbfc75137b843b (patch) | |
| tree | abb5df4488ff1f38ff3166b448688f284dd33990 /include/linux/amba/ssh:/git@git.zx2c4.com | |
| parent | hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple (diff) | |
hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
adm1266_gpio_get() and adm1266_gpio_get_multiple() both compose the
pin-status word as
pins_status = read_buf[0] + (read_buf[1] << 8);
right after i2c_smbus_read_block_data(), guarding only against an
error return. A well-behaved device returns 2 bytes for
GPIO_STATUS/PDIO_STATUS, but the helper happily reports a 0- or
1-byte response too. If the device returns 0 bytes, both read_buf
slots are uninitialized stack memory; if it returns 1 byte, read_buf[1]
is.
The composed value then flows through set_bit() into the caller's
*bits in adm1266_gpio_get_multiple(), or into the return value of
adm1266_gpio_get(), and ends up in userspace via gpiolib (sysfs and
the char-dev ioctls). That leaks a few bits of kernel stack per
request on any device whose firmware glitch, bus error, or hostile
slave produces a short block-read response.
Add the missing length check to both call sites and surface a short
response as -EIO.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-3-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Diffstat (limited to 'include/linux/amba/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions