| From 359de1206b33eca18789ab0bbaf8e227843837de Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Sun, 29 Mar 2026 17:09:40 +0000 |
| Subject: hwmon: (tps53679) Fix array access with zero-length block read |
| |
| From: Sanman Pradhan <psanman@juniper.net> |
| |
| [ Upstream commit 0e211f6aaa6a00fd0ee0c1eea5498f168c6725e6 ] |
| |
| i2c_smbus_read_block_data() can return 0, indicating a zero-length |
| read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] |
| which is buf[-1], reading one byte before the buffer on the stack. |
| |
| Fix by changing the check from "ret < 0" to "ret <= 0", treating a |
| zero-length read as an error (-EIO), which prevents the out-of-bounds |
| array access. |
| |
| Also fix a typo in the adjacent comment: "if present" instead of |
| duplicate "if". |
| |
| Fixes: 75ca1e5875fe ("hwmon: (pmbus/tps53679) Add support for TPS53685") |
| Signed-off-by: Sanman Pradhan <psanman@juniper.net> |
| Link: https://lore.kernel.org/r/20260329170925.34581-2-sanman.pradhan@hpe.com |
| Signed-off-by: Guenter Roeck <linux@roeck-us.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/hwmon/pmbus/tps53679.c | 6 +++--- |
| 1 file changed, 3 insertions(+), 3 deletions(-) |
| |
| diff --git a/drivers/hwmon/pmbus/tps53679.c b/drivers/hwmon/pmbus/tps53679.c |
| index ca2bfa25eb04c..3bca543817a60 100644 |
| --- a/drivers/hwmon/pmbus/tps53679.c |
| +++ b/drivers/hwmon/pmbus/tps53679.c |
| @@ -103,10 +103,10 @@ static int tps53679_identify_chip(struct i2c_client *client, |
| } |
| |
| ret = i2c_smbus_read_block_data(client, PMBUS_IC_DEVICE_ID, buf); |
| - if (ret < 0) |
| - return ret; |
| + if (ret <= 0) |
| + return ret < 0 ? ret : -EIO; |
| |
| - /* Adjust length if null terminator if present */ |
| + /* Adjust length if null terminator is present */ |
| buf_len = (buf[ret - 1] != '\x00' ? ret : ret - 1); |
| |
| id_len = strlen(id); |
| -- |
| 2.53.0 |
| |
