| Message ID | 20250424053320.19211-1-akhilrajeev@nvidia.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v2,RESEND] i2c: tegra: check msg length in SMBUS block read | expand |
Hi Akhil, On Thu, Apr 24, 2025 at 11:03:20AM +0530, Akhil R wrote: > For SMBUS block read, do not continue to read if the message length > passed from the device is '0' or greater than the maximum allowed bytes. > > Signed-off-by: Akhil R <akhilrajeev@nvidia.com> > Acked-by: Thierry Reding <treding@nvidia.com> > --- > v1->v2: Add check for the maximum data as well. > > drivers/i2c/busses/i2c-tegra.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c > index 87976e99e6d0..049b4d154c23 100644 > --- a/drivers/i2c/busses/i2c-tegra.c > +++ b/drivers/i2c/busses/i2c-tegra.c > @@ -1395,6 +1395,11 @@ static int tegra_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], > ret = tegra_i2c_xfer_msg(i2c_dev, &msgs[i], MSG_END_CONTINUE); > if (ret) > break; > + > + /* Validate message length before proceeding */ > + if (msgs[i].buf[0] == 0 || msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX) > + break; > + I agree with Thierry, this check is driver independent and it should be done in the library. Anyway, for now, I'm going to take this as this check is now left to the drivers and it would be huge to shift it somewhere else. Before I merge, I want to know if you have you seen any failure here? What is the reason you are sending it? Thanks, Andi > /* Set the msg length from first byte */ > msgs[i].len += msgs[i].buf[0]; > dev_dbg(i2c_dev->dev, "reading %d bytes\n", msgs[i].len); > -- > 2.43.2 >
> I agree with Thierry, this check is driver independent and it > should be done in the library. Anyway, for now, I'm going to take > this as this check is now left to the drivers and it would be > huge to shift it somewhere else. The big picture is to support SMBUS3 somewhen which allows for 255 byte transfers. Besides that, it usually is not possible to check the value outside the driver because it has to act on the value right away. That is, the length comes in and exactly this number of bytes has to be read in the same message, > Before I merge, I want to know if you have you seen any failure > here? What is the reason you are sending it? Usually some devices just send more bytes because they can. A value of 0 would be interesting in deed.
> > I agree with Thierry, this check is driver independent and it > > should be done in the library. Anyway, for now, I'm going to take > > this as this check is now left to the drivers and it would be > > huge to shift it somewhere else. > > The big picture is to support SMBUS3 somewhen which allows for 255 byte > transfers. Besides that, it usually is not possible to check the value > outside the driver because it has to act on the value right away. That > is, the length comes in and exactly this number of bytes has to be read > in the same message, > > > Before I merge, I want to know if you have you seen any failure > > here? What is the reason you are sending it? > > Usually some devices just send more bytes because they can. A value of 0 > would be interesting in deed. Yes. We have had issues where the client device sends '0' as length if the transfer is terminated abruptly at the client's side. The actual fix is in the client's driver, but this check here would ensure that the master does not run into trouble either. Regards, Akhil
Hi Akhil, > Yes. We have had issues where the client device sends '0' as length if the Can you reveal which client that is? > transfer is terminated abruptly at the client's side. The actual fix is in the client's > driver, but this check here would ensure that the master does not run into > trouble either. Correct. Happy hacking! Wolfram
> Hi Akhil, > > > Yes. We have had issues where the client device sends '0' as length if > > the > > Can you reveal which client that is? The issue came from a downstream change in the file drivers/char/ipmi/ssif_bmc.c in the OpenBMC Linux tree. > > > transfer is terminated abruptly at the client's side. The actual fix > > is in the client's driver, but this check here would ensure that the > > master does not run into trouble either. > > Correct. > > Happy hacking! Regards, Akhil
Hi Akhil, On Tue, Apr 29, 2025 at 09:51:14AM +0000, Akhil R wrote: > > > Yes. We have had issues where the client device sends '0' as length if > > > the > > > > Can you reveal which client that is? > > The issue came from a downstream change in the file > drivers/char/ipmi/ssif_bmc.c in the OpenBMC Linux tree. > > > > > > transfer is terminated abruptly at the client's side. The actual fix > > > is in the client's driver, but this check here would ensure that the > > > master does not run into trouble either. I took it anyway into i2c/i2c-host. Better redundant than sorry. Other drivers are doing the same check, so for now there is no point in being picky. I might try to clean things up later. Thanks, Andi
diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c index 87976e99e6d0..049b4d154c23 100644 --- a/drivers/i2c/busses/i2c-tegra.c +++ b/drivers/i2c/busses/i2c-tegra.c @@ -1395,6 +1395,11 @@ static int tegra_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[], ret = tegra_i2c_xfer_msg(i2c_dev, &msgs[i], MSG_END_CONTINUE); if (ret) break; + + /* Validate message length before proceeding */ + if (msgs[i].buf[0] == 0 || msgs[i].buf[0] > I2C_SMBUS_BLOCK_MAX) + break; + /* Set the msg length from first byte */ msgs[i].len += msgs[i].buf[0]; dev_dbg(i2c_dev->dev, "reading %d bytes\n", msgs[i].len);