From 5193fba85936014d3dcf25379ca16c2f6dbdaa71 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 4 Jun 2026 10:16:21 +0200 Subject: [PATCH] 6.6-stable patches added patches: bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch media-rc-igorplugusb-fix-control-request-setup-packet.patch usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch --- ...are-re-download-when-version-matches.patch | 57 +++++++++++++ ...s_poll-quirk-for-sigmachip-usb-mouse.patch | 48 +++++++++++ ...fix-stack-leak-in-tagged-fifo-buffer.patch | 52 ++++++++++++ ...oherent-size-in-ims_pcu_buffers_free.patch | 35 ++++++++ ...io-data_len-x_len-to-urb-buffer-size.patch | 61 ++++++++++++++ ...usb-fix-control-request-setup-packet.patch | 50 ++++++++++++ queue-6.6/series | 13 +++ ...emory-corruption-with-small-endpoint.patch | 49 ++++++++++++ ...unt-before-reading-status-update-vdo.patch | 35 ++++++++ ...idate-header-ndo-against-rx_byte_cnt.patch | 47 +++++++++++ ...mware-images-without-a-record-header.patch | 54 +++++++++++++ ..._cmd_configure-without-a-payload-vdo.patch | 43 ++++++++++ ...ctor-number-in-ucsi_connector_change.patch | 65 +++++++++++++++ ...t-pd_message-in-wcove_read_rx_buffer.patch | 79 +++++++++++++++++++ 14 files changed, 688 insertions(+) create mode 100644 queue-6.6/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch create mode 100644 queue-6.6/hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch create mode 100644 queue-6.6/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch create mode 100644 queue-6.6/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch create mode 100644 queue-6.6/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch create mode 100644 queue-6.6/media-rc-igorplugusb-fix-control-request-setup-packet.patch create mode 100644 queue-6.6/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch create mode 100644 queue-6.6/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch create mode 100644 queue-6.6/usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch create mode 100644 queue-6.6/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch create mode 100644 queue-6.6/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch create mode 100644 queue-6.6/usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch create mode 100644 queue-6.6/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch diff --git a/queue-6.6/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch b/queue-6.6/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch new file mode 100644 index 0000000000..949c06802e --- /dev/null +++ b/queue-6.6/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch @@ -0,0 +1,57 @@ +From 82855073c1081732656734b74d7d1d5e4cfd0da7 Mon Sep 17 00:00:00 2001 +From: Shuai Zhang +Date: Thu, 21 May 2026 13:25:47 +0800 +Subject: Bluetooth: btusb: Allow firmware re-download when version matches + +From: Shuai Zhang + +commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream. + +The Bluetooth host decides whether to download firmware by reading the +controller firmware download completion flag and firmware version +information. + +If a USB error occurs during the firmware download process (for example +due to a USB disconnect), the download is aborted immediately. An +incomplete firmware transfer does not cause the controller to set the +download completion flag, but the firmware version information may be +updated at an early stage of the download process. + +In this case, after USB reconnection, the host attempts to re-download +the firmware because the download completion flag is not set. However, +since the controller reports the same firmware version as the target +firmware, the download is skipped. This ultimately results in the +firmware not being properly updated on the controller. + +This change removes the restriction that skips firmware download when +the versions are equal. It covers scenarios where the USB connection +can be disconnected at any time and ensures that firmware download can +be retriggered after USB reconnection, allowing the Bluetooth firmware +to be correctly and completely updated. + +Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3667,7 +3667,13 @@ static int btusb_setup_qca_load_rampatch + "firmware rome 0x%x build 0x%x", + rver_rom, rver_patch, ver_rom, ver_patch); + +- if (rver_rom != ver_rom || rver_patch <= ver_patch) { ++ /* Allow rampatch when the patch version equals the firmware version. ++ * A firmware download may be aborted by a transient USB error (e.g. ++ * disconnect) after the controller updates version info but before ++ * completion. ++ * Allowing equal versions enables re-flashing during recovery. ++ */ ++ if (rver_rom != ver_rom || rver_patch < ver_patch) { + bt_dev_err(hdev, "rampatch file version did not match with firmware"); + err = -EINVAL; + goto done; diff --git a/queue-6.6/hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch b/queue-6.6/hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch new file mode 100644 index 0000000000..ff608d1c37 --- /dev/null +++ b/queue-6.6/hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch @@ -0,0 +1,48 @@ +From 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd Mon Sep 17 00:00:00 2001 +From: hlleng +Date: Tue, 12 May 2026 09:57:37 +0800 +Subject: HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse + +From: hlleng + +commit 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd upstream. + +The SIGMACHIP USB mouse with VID/PID 1c4f:0034 can disconnect and +re-enumerate repeatedly after it has been enumerated if its interrupt +endpoint is not continuously polled. + +This was observed with the device reporting itself as "SIGMACHIP Usb +Mouse". Keeping the input event device open avoids the disconnects. + +Add HID_QUIRK_ALWAYS_POLL for this device so the HID core keeps polling +it even when there is no userspace input consumer. + +Cc: stable@vger.kernel.org +Signed-off-by: hlleng +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1212,6 +1212,7 @@ + + #define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f + #define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002 ++#define USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE 0x0034 + #define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD2 0x0059 + + #define USB_VENDOR_ID_SIGMATEL 0x066F +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -186,6 +186,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD), HID_QUIRK_NO_INIT_REPORTS }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS1030_TOUCH), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS817_TOUCH), HID_QUIRK_NOGET }, diff --git a/queue-6.6/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch b/queue-6.6/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch new file mode 100644 index 0000000000..89748e3415 --- /dev/null +++ b/queue-6.6/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch @@ -0,0 +1,52 @@ +From c9d8e9adaa63150ef7e833480b799d0bab83a276 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:40:48 +0200 +Subject: iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream. + +The tagged FIFO path declares iio_buff on the stack with __aligned(8) +but no initializer, but there is a hole in the structure, which will +then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be +copied, but the space between that and the timestamp are not +initialized. + +Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak +issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan, +but for the tagged path it only added the alignment qualifier and not +the initializer :( + +Fix this by just zero-initializing the structure on the stack. + +Cc: Lorenzo Bianconi +Cc: Jonathan Cameron +Cc: David Lechner +Cc: "Nuno Sá" +Cc: Andy Shevchenko +Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: David Lechner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +@@ -586,7 +586,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s + * must be passed a buffer that is aligned to 8 bytes so + * as to allow insertion of a naturally aligned timestamp. + */ +- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8); ++ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { }; + u8 tag; + bool reset_ts = false; + int i, err, read_len; diff --git a/queue-6.6/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch b/queue-6.6/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch new file mode 100644 index 0000000000..33b71d44f7 --- /dev/null +++ b/queue-6.6/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch @@ -0,0 +1,35 @@ +From dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Fri, 22 May 2026 10:54:04 +0200 +Subject: Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() + +From: Thomas Fourier + +commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream. + +The input buffer size is pcu->max_in_size, but pcu->max_out_size is +passed to usb_free_coherent(). + +Change size to match the allocation size. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/ims-pcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1598,7 +1598,7 @@ static void ims_pcu_buffers_free(struct + usb_kill_urb(pcu->urb_in); + usb_free_urb(pcu->urb_in); + +- usb_free_coherent(pcu->udev, pcu->max_out_size, ++ usb_free_coherent(pcu->udev, pcu->max_in_size, + pcu->urb_in_buf, pcu->read_dma); + + kfree(pcu->urb_out_buf); diff --git a/queue-6.6/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch b/queue-6.6/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch new file mode 100644 index 0000000000..9736098b0f --- /dev/null +++ b/queue-6.6/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch @@ -0,0 +1,61 @@ +From 2905281cbda52ec9df540113b35b835feb5fafd3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 20 Apr 2026 18:00:27 +0200 +Subject: Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream. + +nexio_read_data() pulls data_len and x_len from a packed __be16 header +in the device's interrupt packet and then walks packet->data[0..x_len) +and packet->data[x_len..data_len) comparing each byte against a +threshold. + +Both fields are 16-bit on the wire (max 65535). The existing +adjustments shave at most 0x100 / 0x80 off, so the loop bound can still +reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size +(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the +packed header — so packet->data[] has 1017 valid bytes. read_data() +callbacks are not given urb->actual_length, and nothing else bounds the +walk. + +A device that lies about its length can get a ~64 KiB out-of-bounds read +past the coherent DMA allocation. The first index whose byte exceeds +NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the +reported touch coordinates, so adjacent kernel memory contents leak to +userspace as ABS_X / ABS_Y events. Far enough out, the read can also +hit an unmapped page and fault. + +Fix this all by clamping data_len to the buffer's data[] capacity and +x_len to data_len. + +Cc: Dmitry Torokhov +Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support") +Cc: stable +Assisted-by: gkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/usbtouchscreen.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/input/touchscreen/usbtouchscreen.c ++++ b/drivers/input/touchscreen/usbtouchscreen.c +@@ -1061,6 +1061,11 @@ static int nexio_read_data(struct usbtou + if (x_len > 0xff) + x_len -= 0x80; + ++ if (data_len > usbtouch->data_size - sizeof(*packet)) ++ data_len = usbtouch->data_size - sizeof(*packet); ++ if (x_len > data_len) ++ x_len = data_len; ++ + /* send ACK */ + ret = usb_submit_urb(priv->ack, GFP_ATOMIC); + if (ret) diff --git a/queue-6.6/media-rc-igorplugusb-fix-control-request-setup-packet.patch b/queue-6.6/media-rc-igorplugusb-fix-control-request-setup-packet.patch new file mode 100644 index 0000000000..91e08726fe --- /dev/null +++ b/queue-6.6/media-rc-igorplugusb-fix-control-request-setup-packet.patch @@ -0,0 +1,50 @@ +From 171022c7d594c133a45f92357a2a91475edabe20 Mon Sep 17 00:00:00 2001 +From: Henri A +Date: Wed, 20 May 2026 10:25:44 -0400 +Subject: media: rc: igorplugusb: fix control request setup packet + +From: Henri A + +commit 171022c7d594c133a45f92357a2a91475edabe20 upstream. + +Commit eac69475b01f ("media: rc: igorplugusb: heed coherency +rules") changed the control request storage from an embedded struct to +an allocated pointer so it can obey DMA coherency rules. + +However, the driver still passes &ir->request to usb_fill_control_urb(). +That points the URB setup packet at the pointer field itself rather than +at the allocated struct usb_ctrlrequest. + +USB core then interprets pointer bytes as the setup packet. This can +produce an invalid bRequestType and trigger the control direction warning +reported by syzbot: + + usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0 + +Pass ir->request itself as the setup packet. + +Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules") +Reported-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=11f0e4f957c7c3bf3d51 +Tested-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Assisted-by: Codex:GPT-5.5 +Signed-off-by: Henri A +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/igorplugusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/igorplugusb.c ++++ b/drivers/media/rc/igorplugusb.c +@@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_ + if (!ir->buf_in) + goto fail; + usb_fill_control_urb(ir->urb, udev, +- usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request, ++ usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request, + ir->buf_in, MAX_PACKET, igorplugusb_callback, ir); + + usb_make_path(udev, ir->phys, sizeof(ir->phys)); diff --git a/queue-6.6/series b/queue-6.6/series index a6685b0122..c55731d0be 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,3 +1,4 @@ +input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch net-sched-cls_fw-fix-null-dereference-of-old-filters.patch net-mctp-ensure-our-nlmsg-responses-are-initialised.patch net-sched-sch_sfb-replace-direct-dequeue-call-with-p.patch @@ -79,3 +80,15 @@ x86-kexec-add-a-sanity-check-on-previous-kernel-s-im.patch hwmon-pmbus-adm1266-serialize-gpio-pmbus-accesses-wi.patch hwmon-pmbus-adm1266-serialize-nvmem-blackbox-read-wi.patch soc-tegra-pmc-fix-unsafe-generic_handle_irq-call.patch +iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch +usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch +usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch +usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch +usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch +usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch +usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch +usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch +media-rc-igorplugusb-fix-control-request-setup-packet.patch +input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch +hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch +bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch diff --git a/queue-6.6/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch b/queue-6.6/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch new file mode 100644 index 0000000000..915d2304bd --- /dev/null +++ b/queue-6.6/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch @@ -0,0 +1,49 @@ +From 438061ed1ad85e6743e2dce826671772d81089ec Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 22 May 2026 16:22:18 +0200 +Subject: USB: serial: safe_serial: fix memory corruption with small endpoint + +From: Johan Hovold + +commit 438061ed1ad85e6743e2dce826671772d81089ec upstream. + +Make sure that the bulk-out buffer size is at least eight bytes to avoid +user-controlled slab corruption in "safe" mode should a malicious device +report a smaller size. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/safe_serial.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/safe_serial.c ++++ b/drivers/usb/serial/safe_serial.c +@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str + static int safe_startup(struct usb_serial *serial) + { + struct usb_interface_descriptor *desc; ++ int bulk_out_size; + + if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS) + return -ENODEV; +@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria + default: + return -EINVAL; + } ++ ++ /* ++ * The bulk-out buffer needs to be large enough for the two-byte ++ * trailer in safe mode, but assume anything smaller than eight bytes ++ * is broken. ++ */ ++ bulk_out_size = serial->port[0]->bulk_out_size; ++ if (bulk_out_size > 0 && bulk_out_size < 8) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-6.6/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch b/queue-6.6/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch new file mode 100644 index 0000000000..74cf62cc68 --- /dev/null +++ b/queue-6.6/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch @@ -0,0 +1,35 @@ +From 8a18f896e667df491331371b55d4ad644dc51d60 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:49 +0200 +Subject: usb: typec: altmodes/displayport: validate count before reading Status Update VDO + +From: Greg Kroah-Hartman + +commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream. + +A broken/malicious device can send the incorrect count for a status +update VDO, which will cause the kernel to read uninitialized stack data +and send it off elsewhere. + +Fix this up by correctly verifying the count for the update object. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -311,6 +311,8 @@ static int dp_altmode_vdm(struct typec_a + } + break; + case DP_CMD_STATUS_UPDATE: ++ if (count < 2) ++ break; + dp->data.status = *vdo; + ret = dp_altmode_status_update(dp); + break; diff --git a/queue-6.6/usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch b/queue-6.6/usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch new file mode 100644 index 0000000000..2f2f15d54c --- /dev/null +++ b/queue-6.6/usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch @@ -0,0 +1,47 @@ +From aa2f716327be1818e1cb156da8a2844804aaec2f Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:50 +0200 +Subject: usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit aa2f716327be1818e1cb156da8a2844804aaec2f upstream. + +A broken/malicious port can transmit a CRC-valid frame whose header +advertises up to seven data objects but whose body carries fewer than +that. Check for this, and rightfully reject the message, instead of +reading from uninitialized stack memory. + +Assisted-by: gkh_clanker_t1000 +Cc: Heikki Krogerus +Cc: "André Draszik" +Cc: Badhri Jagan Sridharan +Cc: Amit Sunil Dhamne +Cc: stable +Link: https://patch.msgid.link/2026051350-sitter-canopener-9045@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c ++++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c +@@ -165,6 +165,15 @@ static void process_rx(struct max_tcpci_ + rx_buf_ptr = rx_buf + TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET; + msg.header = cpu_to_le16(*(u16 *)rx_buf_ptr); + rx_buf_ptr = rx_buf_ptr + sizeof(msg.header); ++ ++ if (count < TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET + sizeof(msg.header) + ++ pd_header_cnt_le(msg.header) * sizeof(msg.payload[0])) { ++ max_tcpci_write16(chip, TCPC_ALERT, TCPC_ALERT_RX_STATUS); ++ dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d for header cnt %d\n", ++ count, pd_header_cnt_le(msg.header)); ++ return; ++ } ++ + for (payload_index = 0; payload_index < pd_header_cnt_le(msg.header); payload_index++, + rx_buf_ptr += sizeof(msg.payload[0])) + msg.payload[payload_index] = cpu_to_le32(*(u32 *)rx_buf_ptr); diff --git a/queue-6.6/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch b/queue-6.6/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch new file mode 100644 index 0000000000..11570b1627 --- /dev/null +++ b/queue-6.6/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch @@ -0,0 +1,54 @@ +From d7486952bf74e546ee3748fb14b2d07881fa6273 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 14 May 2026 19:10:06 +0200 +Subject: usb: typec: ucsi: ccg: reject firmware images without a ':' record header + +From: Greg Kroah-Hartman + +commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream. + +do_flash() locates the first .cyacd record with + + p = strnchr(fw->data, fw->size, ':'); + while (p < eof) { + s = strnchr(p + 1, eof - p - 1, ':'); + ... + } + +If the firmware image contains no ':' byte, strnchr() returns NULL. +NULL compares less than the valid kernel pointer eof, so the loop body +runs and strnchr() is called with p + 1 == (void *)1 and a length of +roughly (unsigned long)eof, causing a wonderful crash. + +The not_signed_fw fallthrough earlier in do_flash() and the chip-state +branches in ccg_fw_update_needed() allow an unsigned blob to reach this +loop, so a root user who can place a crafted file under /lib/firmware +and write the do_flash sysfs attribute can trigger the oops. + +Bail out with -EINVAL when the initial strnchr() returns NULL. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Cc: Heikki Krogerus +Reviewed-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi_ccg.c ++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c +@@ -1178,6 +1178,11 @@ not_signed_fw: + *****************************************************************/ + + p = strnchr(fw->data, fw->size, ':'); ++ if (!p) { ++ dev_err(dev, "Bad FW format: no ':' record header found\n"); ++ err = -EINVAL; ++ goto release_mem; ++ } + while (p < eof) { + s = strnchr(p + 1, eof - p - 1, ':'); + diff --git a/queue-6.6/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch b/queue-6.6/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch new file mode 100644 index 0000000000..bb164da998 --- /dev/null +++ b/queue-6.6/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch @@ -0,0 +1,43 @@ +From 167dd8d12226587ee554f520aed0256b7769cd5d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:54 +0200 +Subject: usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO + +From: Greg Kroah-Hartman + +commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream. + +ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first +payload VDO from data[], but unlike the equivalent handler in +altmodes/displayport.c it does not check that count covers a VDO beyond +the header. A header-only Configure VDM (count == 1) would read one u32 +past the caller's array. + +In the normal UCSI path the caller controls count, so this is hardening +for non-standard delivery paths. NAK and bail when no configuration VDO +is present, matching the generic DP altmode driver's existing guard. + +Assisted-by: gkh_clanker_t1000 +Cc: Pooja Katiyar +Cc: Johan Hovold +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/typec/ucsi/displayport.c ++++ b/drivers/usb/typec/ucsi/displayport.c +@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t + dp->header |= VDO_CMDT(CMDT_RSP_ACK); + break; + case DP_CMD_CONFIGURE: ++ if (count < 2) { ++ dp->header |= VDO_CMDT(CMDT_RSP_NAK); ++ break; ++ } + dp->data.conf = *data; + if (ucsi_displayport_configure(dp)) { + dp->header |= VDO_CMDT(CMDT_RSP_NAK); diff --git a/queue-6.6/usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch b/queue-6.6/usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch new file mode 100644 index 0000000000..296a39c552 --- /dev/null +++ b/queue-6.6/usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch @@ -0,0 +1,65 @@ +From 288a81a8507052bcfbf884d39a463c44c42c5fd9 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:55 +0200 +Subject: usb: typec: ucsi: validate connector number in ucsi_connector_change() + +From: Greg Kroah-Hartman + +commit 288a81a8507052bcfbf884d39a463c44c42c5fd9 upstream. + +The connector number in a UCSI CCI notification is a 7-bit field +supplied by the PPM. ucsi_connector_change() uses it to index the +ucsi->connector[] array without checking it against the number of +connectors the PPM reported at init time, so a buggy or malicious PPM +(EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 / +glink transports) can drive schedule_work() on memory past the end of +the array. + +Reject connector numbers that are zero or exceed cap.num_connectors +before dereferencing the array. + +Assisted-by: gkh_clanker_t1000 +Cc: Heikki Krogerus +Cc: Benson Leung +Cc: Jameson Thies +Cc: Nathan Rebello +Cc: Johan Hovold +Cc: Pooja Katiyar +Cc: Hsin-Te Yuan +Cc: Abel Vesa +Cc: stable +Reviewed-by: Abel Vesa +Reviewed-by: Heikki Krogerus +Reviewed-by: Benson Leung +Link: https://patch.msgid.link/2026051351-truck-steadfast-df48@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -960,13 +960,22 @@ out_unlock: + */ + void ucsi_connector_change(struct ucsi *ucsi, u8 num) + { +- struct ucsi_connector *con = &ucsi->connector[num - 1]; ++ struct ucsi_connector *con; + + if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { + dev_dbg(ucsi->dev, "Early connector change event\n"); + return; + } + ++ if (!num || num > ucsi->cap.num_connectors) { ++ dev_warn_ratelimited(ucsi->dev, ++ "Bogus connector change on %u (max %u)\n", ++ num, ucsi->cap.num_connectors); ++ return; ++ } ++ ++ con = &ucsi->connector[num - 1]; ++ + if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags)) + schedule_work(&con->work); + } diff --git a/queue-6.6/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch b/queue-6.6/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch new file mode 100644 index 0000000000..06ddc8f643 --- /dev/null +++ b/queue-6.6/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch @@ -0,0 +1,79 @@ +From 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:48 +0200 +Subject: usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() + +From: Greg Kroah-Hartman + +commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream. + +wcove_read_rx_buffer() copies the PD RX FIFO into the caller's +struct pd_message with + + for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) + regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i); + +which has two problems: + +USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message +is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed). +The byte count latched in RXINFO is the number of bytes the port partner +put on the wire, so a malicious partner that transmits a 31-byte frame +can drive the loop one byte past the destination if the WCOVE BMC +receiver does not enforce the PD object-count limit in hardware. The +existing FIXME flagged this as unverified. + +Independently, regmap_read() takes an unsigned int * and stores a full +unsigned int at the destination. Passing the byte pointer msg + i means +each iteration writes four bytes; the high three are zero (val_bits is +8) and are normally overwritten by the next iteration, but the final +iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration +already writes three zero bytes past msg, which sits on the IRQ thread's +stack in wcove_typec_irq(). + +Clamp the loop to sizeof(struct pd_message) and read each register into +a local before storing only its low byte, so the copy can never exceed +the destination regardless of what RXINFO reports. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/wcove.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/usb/typec/tcpm/wcove.c ++++ b/drivers/usb/typec/tcpm/wcove.c +@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t + return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl); + } + +-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg) ++static int wcove_read_rx_buffer(struct wcove_typec *wcove, ++ struct pd_message *msg) + { +- unsigned int info; ++ unsigned int info, val, len; ++ u8 *buf = (u8 *)msg; + int ret; + int i; + +@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w + if (ret) + return ret; + +- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */ ++ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg)); + +- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) { +- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i); ++ for (i = 0; i < len; i++) { ++ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val); + if (ret) + return ret; ++ buf[i] = val; + } + + return regmap_write(wcove->regmap, USBC_RXSTATUS, -- 2.47.3