GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/2217528/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2217528,
    "url": "http://patchwork.ozlabs.org/api/patches/2217528/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/linux-i2c/patch/20260330042622.2608889-1-bestswngs@gmail.com/",
    "project": {
        "id": 35,
        "url": "http://patchwork.ozlabs.org/api/projects/35/?format=api",
        "name": "Linux I2C development",
        "link_name": "linux-i2c",
        "list_id": "linux-i2c.vger.kernel.org",
        "list_email": "linux-i2c@vger.kernel.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260330042622.2608889-1-bestswngs@gmail.com>",
    "list_archive_url": null,
    "date": "2026-03-30T04:26:22",
    "name": "[v2] i2c: smbus: reject oversized block transfers in the common path",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "f1931a98f6d059618e49124f30a2bf799b76c291",
    "submitter": {
        "id": 92941,
        "url": "http://patchwork.ozlabs.org/api/people/92941/?format=api",
        "name": "Weiming Shi",
        "email": "bestswngs@gmail.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/linux-i2c/patch/20260330042622.2608889-1-bestswngs@gmail.com/mbox/",
    "series": [
        {
            "id": 497949,
            "url": "http://patchwork.ozlabs.org/api/series/497949/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/linux-i2c/list/?series=497949",
            "date": "2026-03-30T04:26:22",
            "name": "[v2] i2c: smbus: reject oversized block transfers in the common path",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/497949/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2217528/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2217528/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <linux-i2c+bounces-16861-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linux-i2c@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=mjmrFreO;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=linux-i2c+bounces-16861-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"mjmrFreO\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.216.45",
            "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"
        ],
        "Received": [
            "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fkdVr4D67z1y1q\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 30 Mar 2026 15:26:44 +1100 (AEDT)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 6F4A6300850E\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 30 Mar 2026 04:26:39 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 7F040391835;\n\tMon, 30 Mar 2026 04:26:35 +0000 (UTC)",
            "from mail-pj1-f45.google.com (mail-pj1-f45.google.com\n [209.85.216.45])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id E99A826FA60\n\tfor <linux-i2c@vger.kernel.org>; Mon, 30 Mar 2026 04:26:33 +0000 (UTC)",
            "by mail-pj1-f45.google.com with SMTP id\n 98e67ed59e1d1-35c206f0481so3689957a91.0\n        for <linux-i2c@vger.kernel.org>; Sun, 29 Mar 2026 21:26:33 -0700 (PDT)",
            "from SLSGDTSWING002.tail0ac356.ts.net ([129.126.109.177])\n        by smtp.gmail.com with ESMTPSA id\n 98e67ed59e1d1-35c2eacff20sm4257584a91.3.2026.03.29.21.26.31\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Sun, 29 Mar 2026 21:26:32 -0700 (PDT)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774844795; cv=none;\n b=NJd40I6LqD3QoO1WG6D9kKdx79kvmrshJtH8MUQ8D3LosVkuDpNmnHLApg4kttJiTRIoBK2oYjcj2b/yohx0vi2DaHuZ0L4wRYdX0/GygmKIUxafBWbK2PjUi51j20znheFLNwvIITctifZPoZY+F1vmtzM9CeC+3Tv6Y34h+VE=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774844795; c=relaxed/simple;\n\tbh=Q0lXIsGDXKvyVl1kKXYekFT1SW45OJBuDcA3uYRJOSw=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=OM14sDmdsgeO3f5sfK+rd/EuioJBMYYZQRoLoPFUVoF/nWb2PmX/EPPCZiedSaaTbljH5/qecpa1Ifn07Zvvlpl8jKByTCRklWM6qKjd78OS6wo/70yogMJy+LfjqmD4IEkvYifIE1AM1jrAsTq/XPKhaGHbg6GztRp4j6EOgqA=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=mjmrFreO; arc=none smtp.client-ip=209.85.216.45",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1774844793; x=1775449593;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:from:to:cc:subject:date:message-id:reply-to;\n        bh=MEFziDjY8EELmDWMIHiwj21wEphahbqJkx5694Z88mI=;\n        b=mjmrFreOzs/KKtXvpmv3SFAgzAueXOMYVtCbdwv1qCbBIvy0MP+kQvS5WZ7K3JzxMK\n         6geErfuHk15M3KNVgf6qs8PfiPgezOBa+l2cq6p5h/08A7n6fsKcIEGkfy5PkZAj6qOZ\n         fuZxhHgML35oYkYd8GTsvuw+bLS2c9r4/TCW0x5GcVFmpx/OxAABjDFZRsexjo3J0aoU\n         Gkl5jqIycvh+OH3e9WlPFgCYwK22kMg2vugj8vGwSOBsYM7rwFhI1YToHLS5x5gIQoPU\n         YCTX9BNdhSTxAmYtGqs5k77/R5ITUKWYkbYE0GJYjb5qtDWtnb+5H2Mi+NQvm/Qd/pTR\n         nRXw==",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1774844793; x=1775449593;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=MEFziDjY8EELmDWMIHiwj21wEphahbqJkx5694Z88mI=;\n        b=eiKpgFAlbx/rIG0sJVjwIH5SsO6HHufrhJ4qi1or0kQdYLGkxK2mEJnUe2oEYF13A8\n         JH5UzMq5q66XQJe1aqDMjpmNWvm4j6XnfM/VNnY8tllDiytTpK3Jzttp+vbNVijHKnFW\n         AbIy/nQYMlrnRHnMWhXIHKsn58dY9BrzBj2Vd1NCGIUOVUD6wkyqP0Si6uOnRsy/zHJV\n         unwdIYu7jrNZNPpsTPCxq0V65E1NvS+lLFn7UaNghO5f/ZxNv7NxDqTORrDlXe18EVYs\n         a/Cg5JFhOOzdEgaGtmSL4NQ8MaYlh+r0nsar4RE2yorpdi71jCyiw+t3e89Od1kYkPjO\n         fnaw==",
        "X-Forwarded-Encrypted": "i=1;\n AJvYcCWmw/dOg/LbQmIctkAlrPKKKrEsJ37vdC+FAknsB6rgM4M8Utc782ORx6gxd5EqMr7KU3J4zrUJ8S8=@vger.kernel.org",
        "X-Gm-Message-State": "AOJu0Yzf9hg/mdDSSaaU7KE3VfO8uVWtdMeqUies0xcboGvCArwC5nRM\n\t8XwgCLCbHJ+k5EV0wHkaUl3gL5AntyZKABAea9tVKF+yCtAlO7kBKulQGsxKJ8JXoTJHYg==",
        "X-Gm-Gg": "ATEYQzxyB5sKS7rV26UjmgPdHdWvGfyMWUSHaTfcJcbHXKxiyXG48ImLmRZV0rUtx+n\n\t/zSyQGg+xxhWGMm+E1VzbOzaCh4EAL6m2fqrIFZFV3eYnQeIasPmIEAhdeqq1zdMCclouYLJA44\n\t/3Gf2aKW3+Eu9roVXv2/5iWk1Rr3jUJCBrt13YDEkOb0d8mFV2lLos1gBEqZjHUyQeRsIuJzg/H\n\tU0W1UIo6VdFCm0WndvAdedqQdgwu3YMJSkympbvuJleKrKun1OrD1X2eVBqplQ5loYVehVpoTH6\n\tyGae6XK2rUml1Ef1eKHG6cthmH3on8UbilKa6T63SJaQImbfUoEB6CyeQnnpiUPlnjwOP3hR4Dv\n\tDYhizyQapNbYEDnQxsh9R2vTbjRbGqZWaVNsOycgowdTLoRdFCS9l2gNltWVZON8kt5Rd43GEZ3\n\t9O7SieIB5P/qNy33VRsTo7GDili6coOETuoy1rle+UyLxkh7kULQuaG37D0lkztft9aznjV8B4Y\n\t5pUoqNX8JYiffHUqBD0XBk=",
        "X-Received": "by 2002:a17:90a:d410:b0:356:1db4:8fe5 with SMTP id\n 98e67ed59e1d1-35c30115629mr10183939a91.29.1774844793246;\n        Sun, 29 Mar 2026 21:26:33 -0700 (PDT)",
        "From": "Weiming Shi <bestswngs@gmail.com>",
        "To": "Wolfram Sang <wsa+renesas@sang-engineering.com>",
        "Cc": "Xiang Mei <xmei5@asu.edu>,\n\tlinux-i2c@vger.kernel.org,\n\tWeiming Shi <bestswngs@gmail.com>,\n\tstable@vger.kernel.org",
        "Subject": "[PATCH v2] i2c: smbus: reject oversized block transfers in the common\n path",
        "Date": "Mon, 30 Mar 2026 12:26:22 +0800",
        "Message-ID": "<20260330042622.2608889-1-bestswngs@gmail.com>",
        "X-Mailer": "git-send-email 2.43.0",
        "Precedence": "bulk",
        "X-Mailing-List": "linux-i2c@vger.kernel.org",
        "List-Id": "<linux-i2c.vger.kernel.org>",
        "List-Subscribe": "<mailto:linux-i2c+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:linux-i2c+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "The SMBus block transfer length data->block[0] is validated in\ni2c_smbus_xfer_emulated() but that check runs too late for tracepoints\nand is skipped entirely when the adapter provides a native smbus_xfer\nimplementation. This allows user-controlled oversized block lengths to\nreach tracepoint memcpy calls and driver callbacks unchecked.\n\nAdd an early validation in __i2c_smbus_xfer() that rejects block\ntransfers with data->block[0] > I2C_SMBUS_BLOCK_MAX before any\ntracepoint fires or driver callback runs. This is consistent with\nthe existing -EINVAL convention in the emulated path and protects all\ndownstream consumers at once: the smbus_write tracepoint, all native\nsmbus_xfer driver implementations, and the emulated path.\n\nTwo distinct bugs are fixed by this change:\n\nBug 1: smbus_write tracepoint OOB (include/trace/events/smbus.h)\n  trace_smbus_write() fires before any validation and copies\n  data->block[0]+1 bytes into a 34-byte event buffer. With\n  block[0]=0xfe the tracepoint copies 255 bytes, overflowing by 221.\n\n BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_smbus_write+0x27c/0x530\n Read of size 255 at addr ffff88800c8b7cd8 by task poc_smbus/86\n Call Trace:\n  <TASK>\n  trace_event_raw_event_smbus_write+0x27c/0x530 (include/trace/events/smbus.h:23)\n  __i2c_smbus_xfer+0x43a/0xa40 (include/trace/events/smbus.h:91)\n  i2c_smbus_xfer+0x19e/0x340 (include/linux/i2c.h:835)\n  i2cdev_ioctl_smbus+0x38f/0x7f0 (drivers/i2c/i2c-dev.c:391)\n  i2cdev_ioctl+0x35e/0x680 (drivers/i2c/i2c-dev.c:478)\n  __x64_sys_ioctl+0x147/0x1e0 (fs/ioctl.c:52)\n  do_syscall_64+0xcf/0x15d0 (arch/x86/entry/syscall_64.c:63)\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e (arch/x86/entry/entry_64.S:130)\n  </TASK>\n\nBug 2: i2c-stub I2C_SMBUS_I2C_BLOCK_DATA OOB (drivers/i2c/i2c-stub.c)\n  stub_xfer() implements .smbus_xfer directly and only clamps\n  block[0] against 256-command, not I2C_SMBUS_BLOCK_MAX. With\n  block[0]=0xff and command=0 the loop accesses block[1+i] for\n  i up to 254, far past the 34-byte union.\n\n UBSAN: array-index-out-of-bounds in drivers/i2c/i2c-stub.c:223:44\n index 34 is out of range for type '__u8 [34]'\n Call Trace:\n  <TASK>\n  stub_xfer+0x1971/0x198f [i2c_stub] (drivers/i2c/i2c-stub.c:223)\n  __i2c_smbus_xfer+0x306/0xa40 (drivers/i2c/i2c-core-smbus.c:607)\n  i2c_smbus_xfer+0x19e/0x340 (include/linux/i2c.h:835)\n  i2cdev_ioctl_smbus+0x38f/0x7f0 (drivers/i2c/i2c-dev.c:391)\n  i2cdev_ioctl+0x35e/0x680 (drivers/i2c/i2c-dev.c:478)\n  __x64_sys_ioctl+0x147/0x1e0 (fs/ioctl.c:52)\n  do_syscall_64+0xcf/0x15d0 (arch/x86/entry/syscall_64.c:63)\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e (arch/x86/entry/entry_64.S:130)\n  </TASK>\n\nFixes: 8a325997d95d (\"i2c: Add message transfer tracepoints for SMBUS [ver #2]\")\nFixes: 4710317891e4 (\"i2c-stub: Implement I2C block support\")\nCc: stable@vger.kernel.org\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Weiming Shi <bestswngs@gmail.com>\n---\nChanges since the initial submission:\n- Moved the check from stub_xfer() into __i2c_smbus_xfer() so it\n  covers all callers, not just i2c-stub. This also fixes a separate\n  OOB in the smbus_write tracepoint that hits the same missing\n  validation from a different angle.\n\n drivers/i2c/i2c-core-smbus.c | 9 +++++++++\n 1 file changed, 9 insertions(+)",
    "diff": "diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c\nindex 71eb1ef56f0c..edb093687a4c 100644\n--- a/drivers/i2c/i2c-core-smbus.c\n+++ b/drivers/i2c/i2c-core-smbus.c\n@@ -566,6 +566,15 @@ s32 __i2c_smbus_xfer(struct i2c_adapter *adapter, u16 addr,\n \tif (res)\n \t\treturn res;\n \n+\t/* Reject invalid block lengths before they reach tracepoints\n+\t * or native smbus_xfer implementations.\n+\t */\n+\tif (data && (protocol == I2C_SMBUS_BLOCK_DATA ||\n+\t\t     protocol == I2C_SMBUS_BLOCK_PROC_CALL ||\n+\t\t     protocol == I2C_SMBUS_I2C_BLOCK_DATA) &&\n+\t    data->block[0] > I2C_SMBUS_BLOCK_MAX)\n+\t\treturn -EINVAL;\n+\n \t/* If enabled, the following two tracepoints are conditional on\n \t * read_write and protocol.\n \t */\n",
    "prefixes": [
        "v2"
    ]
}