[PATCH] crypto: atmel-sha204a - Fix OTP address check and uninitialized data access

Tue Feb 24 14:55:47 PST 2026

Return -EINVAL from atmel_i2c_init_read_otp_cmd() on invalid addresses
instead of -1. Since the OTP zone is accessed in 4-byte blocks, valid
addresses range from 0 to OTP_ZONE_SIZE / 4 - 1. Fix the bounds check
accordingly.

In atmel_sha204a_otp_read(), propagate the actual error code from
atmel_i2c_init_read_otp_cmd() instead of -1, and return early if
atmel_i2c_send_receive() fails to avoid checking potentially
uninitialized data in 'cmd.data'.

Also, return -EIO instead of -EINVAL when the device is not ready.

Fixes: e05ce444e9e5 ("crypto: atmel-sha204a - add reading from otp zone")
Cc: stable at vger.kernel.org
Reviewed-by: Lothar Rubusch <l.rubusch at gmail.com>
Signed-off-by: Thorsten Blum <thorsten.blum at linux.dev>
---
Compile-tested only.

This patch combines [1] and [2], as suggested by Lothar in [2].

Lothar's Reviewed-by: for [1] has been preserved.

In [2], Lothar questioned whether returning -EIO is appropriate; the
exact error code can be adjusted if needed. The errno is currently not
propagated to userspace, but [3] changes this.

[1] https://lore.kernel.org/lkml/20260215205152.518472-3-thorsten.blum@linux.dev/
[2] https://lore.kernel.org/lkml/20260220133135.1122081-2-thorsten.blum@linux.dev/
[3] https://lore.kernel.org/lkml/20260216074552.656814-1-thorsten.blum@linux.dev/
---
 drivers/crypto/atmel-i2c.c     |  4 ++--
 drivers/crypto/atmel-sha204a.c | 11 ++++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/drivers/crypto/atmel-i2c.c b/drivers/crypto/atmel-i2c.c
index da3cd986b1eb..59d11fa5caeb 100644
--- a/drivers/crypto/atmel-i2c.c
+++ b/drivers/crypto/atmel-i2c.c
@@ -72,8 +72,8 @@ EXPORT_SYMBOL(atmel_i2c_init_read_config_cmd);
 
 int atmel_i2c_init_read_otp_cmd(struct atmel_i2c_cmd *cmd, u16 addr)
 {
-	if (addr < 0 || addr > OTP_ZONE_SIZE)
-		return -1;
+	if (addr >= OTP_ZONE_SIZE / 4)
+		return -EINVAL;
 
 	cmd->word_addr = COMMAND;
 	cmd->opcode = OPCODE_READ;
diff --git a/drivers/crypto/atmel-sha204a.c b/drivers/crypto/atmel-sha204a.c
index 8adc7fe71c04..b0480d3bec70 100644
--- a/drivers/crypto/atmel-sha204a.c
+++ b/drivers/crypto/atmel-sha204a.c
@@ -94,19 +94,24 @@ static int atmel_sha204a_rng_read(struct hwrng *rng, void *data, size_t max,
 static int atmel_sha204a_otp_read(struct i2c_client *client, u16 addr, u8 *otp)
 {
 	struct atmel_i2c_cmd cmd;
-	int ret = -1;
+	int ret;
 
-	if (atmel_i2c_init_read_otp_cmd(&cmd, addr) < 0) {
+	ret = atmel_i2c_init_read_otp_cmd(&cmd, addr);
+	if (ret < 0) {
 		dev_err(&client->dev, "failed, invalid otp address %04X\n",
 			addr);
 		return ret;
 	}
 
 	ret = atmel_i2c_send_receive(client, &cmd);
+	if (ret < 0) {
+		dev_err(&client->dev, "failed to read otp at %04X\n", addr);
+		return ret;
+	}
 
 	if (cmd.data[0] == 0xff) {
 		dev_err(&client->dev, "failed, device not ready\n");
-		return -EINVAL;
+		return -EIO;
 	}
 
 	memcpy(otp, cmd.data+1, 4);
-- 
Thorsten Blum <thorsten.blum at linux.dev>
GPG: 1D60 735E 8AEF 3BE4 73B6  9D84 7336 78FD 8DFE EAD4


