From 2c69183c2dad607d7371cfed7c9b5b1c56b50e27 Mon Sep 17 00:00:00 2001 From: Jean Delvare Date: Mon, 26 Feb 2024 07:21:36 +0000 Subject: [PATCH] i2c: i801: Fix block process call transactions mainline inclusion from mainline-v6.8-rc6 commit c1c9d0f6f7f1dbf29db996bd8e166242843a5f21 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I93ELY CVE: CVE-2024-26593 -------------------------------- According to the Intel datasheets, software must reset the block buffer index twice for block process call transactions: once before writing the outgoing data to the buffer, and once again before reading the incoming data from the buffer. The driver is currently missing the second reset, causing the wrong portion of the block buffer to be read. Signed-off-by: Jean Delvare Reported-by: Piotr Zakowski Closes: https://lore.kernel.org/linux-i2c/20240213120553.7b0ab120@endymion.delvare/ Fixes: 315cd67c9453 ("i2c: i801: Add Block Write-Block Read Process Call support") Reviewed-by: Alexander Sverdlin Signed-off-by: Andi Shyti Signed-off-by: Liao Chen --- drivers/i2c/busses/i2c-i801.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c index 679c6c41f64b4..1c87bb8428fc8 100644 --- a/drivers/i2c/busses/i2c-i801.c +++ b/drivers/i2c/busses/i2c-i801.c @@ -522,12 +522,11 @@ static int i801_block_transaction_by_block(struct i801_priv *priv, int i, len; int status; - inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */ - /* Use 32-byte buffer to process this transaction */ if (read_write == I2C_SMBUS_WRITE) { len = data->block[0]; outb_p(len, SMBHSTDAT0(priv)); + inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */ for (i = 0; i < len; i++) outb_p(data->block[i+1], SMBBLKDAT(priv)); } @@ -543,6 +542,7 @@ static int i801_block_transaction_by_block(struct i801_priv *priv, return -EPROTO; data->block[0] = len; + inb_p(SMBHSTCNT(priv)); /* reset the data buffer index */ for (i = 0; i < len; i++) data->block[i + 1] = inb_p(SMBBLKDAT(priv)); } -- Gitee