lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250616-qca-i2c-v1-1-2a8d37ee0a30@outlook.com>
Date: Mon, 16 Jun 2025 00:01:10 +0800
From: Yang Xiwen via B4 Relay <devnull+forbidden405.outlook.com@...nel.org>
To: Andi Shyti <andi.shyti@...nel.org>, 
 Stephan Gerhold <stephan.gerhold@...nkonzept.com>
Cc: linux-arm-msm@...r.kernel.org, linux-i2c@...r.kernel.org, 
 linux-kernel@...r.kernel.org, stable@...r.kernel.org, 
 Yang Xiwen <forbidden405@...look.com>
Subject: [PATCH] i2c: qup: jump out of the loop in case of timeout

From: Yang Xiwen <forbidden405@...look.com>

Original logic only sets the return value but doesn't jump out of the
loop if the bus is kept active by a client. This is not expected. A
malicious or buggy i2c client can hang the kernel in this case and
should be avoided. This is observed during a long time test with a
PCA953x GPIO extender.

Fix it by changing the logic to not only sets the return value, but also
jumps out of the loop and return to the caller with -ETIMEDOUT.

Cc: stable@...r.kernel.org
Signed-off-by: Yang Xiwen <forbidden405@...look.com>
---
 drivers/i2c/busses/i2c-qup.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-qup.c b/drivers/i2c/busses/i2c-qup.c
index 3a36d682ed57..5b053e51f4c9 100644
--- a/drivers/i2c/busses/i2c-qup.c
+++ b/drivers/i2c/busses/i2c-qup.c
@@ -452,8 +452,10 @@ static int qup_i2c_bus_active(struct qup_i2c_dev *qup, int len)
 		if (!(status & I2C_STATUS_BUS_ACTIVE))
 			break;
 
-		if (time_after(jiffies, timeout))
+		if (time_after(jiffies, timeout)) {
 			ret = -ETIMEDOUT;
+			break;
+		}
 
 		usleep_range(len, len * 2);
 	}

---
base-commit: 19272b37aa4f83ca52bdf9c16d5d81bdd1354494
change-id: 20250615-qca-i2c-d41bb61aa59e

Best regards,
-- 
Yang Xiwen <forbidden405@...look.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ