From: Sven Peter sven@svenpeter.dev
mainline inclusion from mainline-v5.16-rc1 commit b7a0a63f3fed57d413bb857de164ea9c3984bc4e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9HOEF CVE: CVE-2021-47210
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Calling tps6598x_block_read with a higher than allowed len can be handled by just returning an error. There's no need to crash systems with panic-on-warn enabled.
Reviewed-by: Heikki Krogerus heikki.krogerus@linux.intel.com Signed-off-by: Sven Peter sven@svenpeter.dev Link: https://lore.kernel.org/r/20210914140235.65955-3-sven@svenpeter.dev Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
conflicts: drivers/usb/typec/tps6598x.c
Signed-off-by: Ye Bin yebin10@huawei.com --- drivers/usb/typec/tps6598x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c index 987b8fcfb2aa..a4dd23a8f195 100644 --- a/drivers/usb/typec/tps6598x.c +++ b/drivers/usb/typec/tps6598x.c @@ -93,7 +93,7 @@ tps6598x_block_read(struct tps6598x *tps, u8 reg, void *val, size_t len) u8 data[TPS_MAX_LEN + 1]; int ret;
- if (WARN_ON(len + 1 > sizeof(data))) + if (len + 1 > sizeof(data)) return -EINVAL;
if (!tps->i2c_protocol)