--- /dev/null
+From 82855073c1081732656734b74d7d1d5e4cfd0da7 Mon Sep 17 00:00:00 2001
+From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
+Date: Thu, 21 May 2026 13:25:47 +0800
+Subject: Bluetooth: btusb: Allow firmware re-download when version matches
+
+From: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
+
+commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream.
+
+The Bluetooth host decides whether to download firmware by reading the
+controller firmware download completion flag and firmware version
+information.
+
+If a USB error occurs during the firmware download process (for example
+due to a USB disconnect), the download is aborted immediately. An
+incomplete firmware transfer does not cause the controller to set the
+download completion flag, but the firmware version information may be
+updated at an early stage of the download process.
+
+In this case, after USB reconnection, the host attempts to re-download
+the firmware because the download completion flag is not set. However,
+since the controller reports the same firmware version as the target
+firmware, the download is skipped. This ultimately results in the
+firmware not being properly updated on the controller.
+
+This change removes the restriction that skips firmware download when
+the versions are equal. It covers scenarios where the USB connection
+can be disconnected at any time and ensures that firmware download can
+be retriggered after USB reconnection, allowing the Bluetooth firmware
+to be correctly and completely updated.
+
+Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shuai Zhang <shuai.zhang@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3511,7 +3511,13 @@ static int btusb_setup_qca_load_rampatch
+ "firmware rome 0x%x build 0x%x",
+ rver_rom, rver_patch, ver_rom, ver_patch);
+
+- if (rver_rom != ver_rom || rver_patch <= ver_patch) {
++ /* Allow rampatch when the patch version equals the firmware version.
++ * A firmware download may be aborted by a transient USB error (e.g.
++ * disconnect) after the controller updates version info but before
++ * completion.
++ * Allowing equal versions enables re-flashing during recovery.
++ */
++ if (rver_rom != ver_rom || rver_patch < ver_patch) {
+ bt_dev_err(hdev, "rampatch file version did not match with firmware");
+ err = -EINVAL;
+ goto done;
--- /dev/null
+From 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd Mon Sep 17 00:00:00 2001
+From: hlleng <a909204013@gmail.com>
+Date: Tue, 12 May 2026 09:57:37 +0800
+Subject: HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
+
+From: hlleng <a909204013@gmail.com>
+
+commit 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd upstream.
+
+The SIGMACHIP USB mouse with VID/PID 1c4f:0034 can disconnect and
+re-enumerate repeatedly after it has been enumerated if its interrupt
+endpoint is not continuously polled.
+
+This was observed with the device reporting itself as "SIGMACHIP Usb
+Mouse". Keeping the input event device open avoids the disconnects.
+
+Add HID_QUIRK_ALWAYS_POLL for this device so the HID core keeps polling
+it even when there is no userspace input consumer.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: hlleng <a909204013@gmail.com>
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1261,6 +1261,7 @@
+
+ #define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f
+ #define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002
++#define USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE 0x0034
+ #define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD2 0x0059
+
+ #define USB_VENDOR_ID_SIGMATEL 0x066F
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -186,6 +186,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD), HID_QUIRK_NO_INIT_REPORTS },
++ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS1030_TOUCH), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS817_TOUCH), HID_QUIRK_NOGET },
--- /dev/null
+From 474f8928d50b09f7dcf507049f08732640b88b49 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 15:40:49 +0200
+Subject: iio: imu: adis16550: fix stack leak in trigger handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 474f8928d50b09f7dcf507049f08732640b88b49 upstream.
+
+adis16550_trigger_handler() declares the scan data array on the stack
+without initializing it. The memcpy() at the bottom fills only the
+first 28 bytes (TEMP + 6 channels of GYRO/ACCEL data), and
+iio_push_to_buffers_with_timestamp() writes the s64 timestamp at the
+8-byte-aligned offset 32. Bytes 28-31 remain uninitialized stack data
+which leaks to userspace on ever trigger.
+
+Fix this all by just zero-initializing the structure on the stack.
+
+Cc: Lars-Peter Clausen <lars@metafoo.de>
+Cc: Michael Hennerich <Michael.Hennerich@analog.com>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: David Lechner <dlechner@baylibre.com>
+Cc: "Nuno Sá" <nuno.sa@analog.com>
+Cc: Andy Shevchenko <andy@kernel.org>
+Fixes: e4570f4bb231 ("iio: imu: adis16550: align buffers for timestamp")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/adis16550.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/adis16550.c
++++ b/drivers/iio/imu/adis16550.c
+@@ -836,7 +836,7 @@ static irqreturn_t adis16550_trigger_han
+ u16 dummy;
+ bool valid;
+ struct iio_poll_func *pf = p;
+- __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8);
++ __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8) = { };
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct adis16550 *st = iio_priv(indio_dev);
+ struct adis *adis = iio_device_get_drvdata(indio_dev);
--- /dev/null
+From c9d8e9adaa63150ef7e833480b799d0bab83a276 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 15:40:48 +0200
+Subject: iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream.
+
+The tagged FIFO path declares iio_buff on the stack with __aligned(8)
+but no initializer, but there is a hole in the structure, which will
+then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be
+copied, but the space between that and the timestamp are not
+initialized.
+
+Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak
+issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan,
+but for the tagged path it only added the alignment qualifier and not
+the initializer :(
+
+Fix this by just zero-initializing the structure on the stack.
+
+Cc: Lorenzo Bianconi <lorenzo@kernel.org>
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: David Lechner <dlechner@baylibre.com>
+Cc: "Nuno Sá" <nuno.sa@analog.com>
+Cc: Andy Shevchenko <andy@kernel.org>
+Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+@@ -609,7 +609,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s
+ * must be passed a buffer that is aligned to 8 bytes so
+ * as to allow insertion of a naturally aligned timestamp.
+ */
+- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8);
++ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { };
+ u8 tag;
+ bool reset_ts = false;
+ int i, err, read_len;
--- /dev/null
+From 387c86b582e0782ab332e7bfcd4e6e3f93922961 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 9 Apr 2026 15:40:47 +0200
+Subject: iio: pressure: bmp280: fix stack leak in bmp580 trigger handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 387c86b582e0782ab332e7bfcd4e6e3f93922961 upstream.
+
+bmp580_trigger_handler() declares its scan buffer on the stack without
+an initializer and then memcpy()s 3 bytes of 24-bit sensor data into
+each 4-byte __le32 field. The high byte of comp_temp and comp_press is
+left uninitialized, and the channel storagebits is 32, so two bytes of
+stack are pushed to userspace per scan.
+
+This is a regression from when the buffer lived in the private data, the
+move to a stack-local struct dropped the implicit zeroing.
+bme280_trigger_handler() was fixed up to handle this bug, but this
+driver was not fixed because there was no padding hole, but rather a
+short-fill issue.
+
+Fix this all by just zero-initializing the structure on the stack.
+
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: David Lechner <dlechner@baylibre.com>
+Cc: "Nuno Sá" <nuno.sa@analog.com>
+Cc: Andy Shevchenko <andy@kernel.org>
+Fixes: 872c8014e05e ("iio: pressure: bmp280: drop sensor_data array")
+Cc: stable <stable@kernel.org>
+Assisted-by: gregkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/pressure/bmp280-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/pressure/bmp280-core.c
++++ b/drivers/iio/pressure/bmp280-core.c
+@@ -2616,7 +2616,7 @@ static irqreturn_t bmp580_trigger_handle
+ __le32 comp_temp;
+ __le32 comp_press;
+ aligned_s64 timestamp;
+- } buffer;
++ } buffer = { };
+ int ret;
+
+ guard(mutex)(&data->lock);
--- /dev/null
+From dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 Mon Sep 17 00:00:00 2001
+From: Thomas Fourier <fourier.thomas@gmail.com>
+Date: Fri, 22 May 2026 10:54:04 +0200
+Subject: Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream.
+
+The input buffer size is pcu->max_in_size, but pcu->max_out_size is
+passed to usb_free_coherent().
+
+Change size to match the allocation size.
+
+Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/ims-pcu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1604,7 +1604,7 @@ static void ims_pcu_buffers_free(struct
+ usb_kill_urb(pcu->urb_in);
+ usb_free_urb(pcu->urb_in);
+
+- usb_free_coherent(pcu->udev, pcu->max_out_size,
++ usb_free_coherent(pcu->udev, pcu->max_in_size,
+ pcu->urb_in_buf, pcu->read_dma);
+
+ kfree(pcu->urb_out_buf);
--- /dev/null
+From 2905281cbda52ec9df540113b35b835feb5fafd3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:00:27 +0200
+Subject: Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream.
+
+nexio_read_data() pulls data_len and x_len from a packed __be16 header
+in the device's interrupt packet and then walks packet->data[0..x_len)
+and packet->data[x_len..data_len) comparing each byte against a
+threshold.
+
+Both fields are 16-bit on the wire (max 65535). The existing
+adjustments shave at most 0x100 / 0x80 off, so the loop bound can still
+reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size
+(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the
+packed header — so packet->data[] has 1017 valid bytes. read_data()
+callbacks are not given urb->actual_length, and nothing else bounds the
+walk.
+
+A device that lies about its length can get a ~64 KiB out-of-bounds read
+past the coherent DMA allocation. The first index whose byte exceeds
+NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the
+reported touch coordinates, so adjacent kernel memory contents leak to
+userspace as ABS_X / ABS_Y events. Far enough out, the read can also
+hit an unmapped page and fault.
+
+Fix this all by clamping data_len to the buffer's data[] capacity and
+x_len to data_len.
+
+Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support")
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_t1000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/usbtouchscreen.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/input/touchscreen/usbtouchscreen.c
++++ b/drivers/input/touchscreen/usbtouchscreen.c
+@@ -1070,6 +1070,11 @@ static int nexio_read_data(struct usbtou
+ if (x_len > 0xff)
+ x_len -= 0x80;
+
++ if (data_len > usbtouch->data_size - sizeof(*packet))
++ data_len = usbtouch->data_size - sizeof(*packet);
++ if (x_len > data_len)
++ x_len = data_len;
++
+ /* send ACK */
+ ret = usb_submit_urb(priv->ack, GFP_ATOMIC);
+ if (ret)
--- /dev/null
+From 171022c7d594c133a45f92357a2a91475edabe20 Mon Sep 17 00:00:00 2001
+From: Henri A <contact@henrialfonso.com>
+Date: Wed, 20 May 2026 10:25:44 -0400
+Subject: media: rc: igorplugusb: fix control request setup packet
+
+From: Henri A <contact@henrialfonso.com>
+
+commit 171022c7d594c133a45f92357a2a91475edabe20 upstream.
+
+Commit eac69475b01f ("media: rc: igorplugusb: heed coherency
+rules") changed the control request storage from an embedded struct to
+an allocated pointer so it can obey DMA coherency rules.
+
+However, the driver still passes &ir->request to usb_fill_control_urb().
+That points the URB setup packet at the pointer field itself rather than
+at the allocated struct usb_ctrlrequest.
+
+USB core then interprets pointer bytes as the setup packet. This can
+produce an invalid bRequestType and trigger the control direction warning
+reported by syzbot:
+
+ usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0
+
+Pass ir->request itself as the setup packet.
+
+Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules")
+Reported-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=11f0e4f957c7c3bf3d51
+Tested-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Assisted-by: Codex:GPT-5.5
+Signed-off-by: Henri A <contact@henrialfonso.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/igorplugusb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/rc/igorplugusb.c
++++ b/drivers/media/rc/igorplugusb.c
+@@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_
+ if (!ir->buf_in)
+ goto fail;
+ usb_fill_control_urb(ir->urb, udev,
+- usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request,
++ usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request,
+ ir->buf_in, MAX_PACKET, igorplugusb_callback, ir);
+
+ usb_make_path(udev, ir->phys, sizeof(ir->phys));
+input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch
acpi-button-fix-acpi-gpe-handler-leak-during-removal.patch
acpi-button-enable-wakeup-gpes-for-acpi-buttons-at-p.patch
xfrm-move-policy_bydst-rcu-sync-from-per-netns-.exit.patch
drm-i915-psr-add-defininitions-for-intel_wa_register.patch
drm-i915-psr-read-intel-dpcd-workaround-register.patch
drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch
+iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch
+iio-imu-adis16550-fix-stack-leak-in-trigger-handler.patch
+iio-pressure-bmp280-fix-stack-leak-in-bmp580-trigger-handler.patch
+usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch
+usb-typec-tcpm-validate-vdo-count-in-discover-identity-ack-handlers.patch
+usb-typec-tcpm-bound-altmode_desc-per-iteration-in-svdm_consume_modes.patch
+usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch
+usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch
+usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch
+usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch
+usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch
+usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch
+media-rc-igorplugusb-fix-control-request-setup-packet.patch
+input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch
+usb-serial-cypress_m8-fix-memory-corruption-with-small-endpoint.patch
+hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch
+bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch
--- /dev/null
+From e1a9d791fd66ab2431b9e6f6f835823809869047 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 22 May 2026 12:16:21 +0200
+Subject: USB: serial: cypress_m8: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e1a9d791fd66ab2431b9e6f6f835823809869047 upstream.
+
+Make sure that the interrupt-out endpoint max packet size is at least
+eight bytes to avoid user-controlled slab corruption or NULL-pointer
+dereference should a malicious device report a smaller size.
+
+Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size")
+Cc: stable@vger.kernel.org # 2.6.26
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cypress_m8.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -445,6 +445,14 @@ static int cypress_generic_port_probe(st
+ return -ENODEV;
+ }
+
++ /*
++ * The buffer must be large enough for the one or two-byte header (and
++ * following data), but assume anything smaller than eight bytes is
++ * broken.
++ */
++ if (port->interrupt_out_size < 8)
++ return -EINVAL;
++
+ priv = kzalloc_obj(struct cypress_private);
+ if (!priv)
+ return -ENOMEM;
--- /dev/null
+From 438061ed1ad85e6743e2dce826671772d81089ec Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 22 May 2026 16:22:18 +0200
+Subject: USB: serial: safe_serial: fix memory corruption with small endpoint
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 438061ed1ad85e6743e2dce826671772d81089ec upstream.
+
+Make sure that the bulk-out buffer size is at least eight bytes to avoid
+user-controlled slab corruption in "safe" mode should a malicious device
+report a smaller size.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/safe_serial.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/serial/safe_serial.c
++++ b/drivers/usb/serial/safe_serial.c
+@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str
+ static int safe_startup(struct usb_serial *serial)
+ {
+ struct usb_interface_descriptor *desc;
++ int bulk_out_size;
+
+ if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS)
+ return -ENODEV;
+@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria
+ default:
+ return -EINVAL;
+ }
++
++ /*
++ * The bulk-out buffer needs to be large enough for the two-byte
++ * trailer in safe mode, but assume anything smaller than eight bytes
++ * is broken.
++ */
++ bulk_out_size = serial->port[0]->bulk_out_size;
++ if (bulk_out_size > 0 && bulk_out_size < 8)
++ return -EINVAL;
++
+ return 0;
+ }
+
--- /dev/null
+From 8a18f896e667df491331371b55d4ad644dc51d60 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:49 +0200
+Subject: usb: typec: altmodes/displayport: validate count before reading Status Update VDO
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream.
+
+A broken/malicious device can send the incorrect count for a status
+update VDO, which will cause the kernel to read uninitialized stack data
+and send it off elsewhere.
+
+Fix this up by correctly verifying the count for the update object.
+
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -405,6 +405,8 @@ static int dp_altmode_vdm(struct typec_a
+ dp->state = DP_STATE_EXIT_PRIME;
+ break;
+ case DP_CMD_STATUS_UPDATE:
++ if (count < 2)
++ break;
+ dp->data.status = *vdo;
+ ret = dp_altmode_status_update(dp);
+ break;
--- /dev/null
+From 3389c149c68c3fea61910ad5d34f7bf3bff44e32 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:53 +0200
+Subject: usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 3389c149c68c3fea61910ad5d34f7bf3bff44e32 upstream.
+
+svdm_consume_modes() checks pmdata->altmodes against the array size once
+before the loop over the count, but forgot to check the bound at every
+point in the loop.
+
+In the well-behaved SVDM discovery flow this is harmless because each of
+at most SVID_DISCOVERY_MAX SVIDs contributes at most MODE_DISCOVERY_MAX
+modes, exactly filling altmode_desc[ALTMODE_DISCOVERY_MAX]. But the
+CMDT_RSP_ACK handler in tcpm_pd_svdm() does not correlate an incoming
+ACK with any request the port actually sent. Once port->partner is set,
+an unsolicited Discover Modes ACK is consumed unconditionally. A broken
+or malicious port partner can therefore drive altmodes to
+ALTMODE_DISCOVERY_MAX - 1 via the normal flow, and then send one extra
+Discover Modes ACK with seven VDOs. Because the pre-loop check passes,
+the loop could then writes up to five entries past altmode_desc[]. For
+mode_data_prime the next field in struct tcpm_port is the
+partner_altmode[] pointer array, which then receives partner-chosen
+SVID/VDO bytes.
+
+Move the bound check inside the loop so the array can never be indexed
+past ALTMODE_DISCOVERY_MAX regardless of how many VDOs the partner
+supplies or how the function was reached.
+
+Assisted-by: gkh_clanker_t1000
+Cc: Badhri Jagan Sridharan <badhri@google.com>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026051351-reshuffle-skillful-90af@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -1845,23 +1845,19 @@ static void svdm_consume_modes(struct tc
+ switch (rx_sop_type) {
+ case TCPC_TX_SOP_PRIME:
+ pmdata = &port->mode_data_prime;
+- if (pmdata->altmodes >= ARRAY_SIZE(port->plug_prime_altmode)) {
+- /* Already logged in svdm_consume_svids() */
+- return;
+- }
+ break;
+ case TCPC_TX_SOP:
+ pmdata = &port->mode_data;
+- if (pmdata->altmodes >= ARRAY_SIZE(port->partner_altmode)) {
+- /* Already logged in svdm_consume_svids() */
+- return;
+- }
+ break;
+ default:
+ return;
+ }
+
+ for (i = 1; i < cnt; i++) {
++ if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) {
++ /* Already logged in svdm_consume_svids() */
++ return;
++ }
+ paltmode = &pmdata->altmode_desc[pmdata->altmodes];
+ memset(paltmode, 0, sizeof(*paltmode));
+
--- /dev/null
+From aa2f716327be1818e1cb156da8a2844804aaec2f Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:50 +0200
+Subject: usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit aa2f716327be1818e1cb156da8a2844804aaec2f upstream.
+
+A broken/malicious port can transmit a CRC-valid frame whose header
+advertises up to seven data objects but whose body carries fewer than
+that. Check for this, and rightfully reject the message, instead of
+reading from uninitialized stack memory.
+
+Assisted-by: gkh_clanker_t1000
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: "André Draszik" <andre.draszik@linaro.org>
+Cc: Badhri Jagan Sridharan <badhri@google.com>
+Cc: Amit Sunil Dhamne <amitsd@google.com>
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026051350-sitter-canopener-9045@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
++++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
+@@ -186,6 +186,15 @@ static void process_rx(struct max_tcpci_
+ rx_buf_ptr = rx_buf + TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET;
+ msg.header = cpu_to_le16(*(u16 *)rx_buf_ptr);
+ rx_buf_ptr = rx_buf_ptr + sizeof(msg.header);
++
++ if (count < TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET + sizeof(msg.header) +
++ pd_header_cnt_le(msg.header) * sizeof(msg.payload[0])) {
++ max_tcpci_write16(chip, TCPC_ALERT, TCPC_ALERT_RX_STATUS);
++ dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d for header cnt %d\n",
++ count, pd_header_cnt_le(msg.header));
++ return;
++ }
++
+ for (payload_index = 0; payload_index < pd_header_cnt_le(msg.header); payload_index++,
+ rx_buf_ptr += sizeof(msg.payload[0]))
+ msg.payload[payload_index] = cpu_to_le32(*(u32 *)rx_buf_ptr);
--- /dev/null
+From 8fbc349e8383125dd2d8de1c1e926279d398ab17 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:51 +0200
+Subject: usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 8fbc349e8383125dd2d8de1c1e926279d398ab17 upstream.
+
+Properly validate the count passed from a device when calling
+svdm_consume_identity() or svdm_consume_identity_sop_prime() as the
+device-controlled value could index off of the static arrays, which
+could leak data.
+
+Assisted-by: gkh_clanker_t1000
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
+Link: https://patch.msgid.link/2026051350-plated-salute-0efe@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -1708,6 +1708,9 @@ static void svdm_consume_identity(struct
+ u32 vdo = p[VDO_INDEX_IDH];
+ u32 product = p[VDO_INDEX_PRODUCT];
+
++ if (cnt <= VDO_INDEX_PRODUCT)
++ return;
++
+ memset(&port->mode_data, 0, sizeof(port->mode_data));
+
+ port->partner_ident.id_header = vdo;
+@@ -1728,6 +1731,9 @@ static void svdm_consume_identity_sop_pr
+ u32 product = p[VDO_INDEX_PRODUCT];
+ int svdm_version;
+
++ if (cnt <= VDO_INDEX_CABLE_1)
++ return;
++
+ /*
+ * Attempt to consume identity only if cable currently is not set
+ */
+@@ -1751,7 +1757,7 @@ static void svdm_consume_identity_sop_pr
+ switch (port->negotiated_rev_prime) {
+ case PD_REV30:
+ port->cable_desc.pd_revision = 0x0300;
+- if (port->cable_desc.active)
++ if (port->cable_desc.active && cnt > VDO_INDEX_CABLE_2)
+ port->cable_ident.vdo[1] = p[VDO_INDEX_CABLE_2];
+ break;
+ case PD_REV20:
--- /dev/null
+From d7486952bf74e546ee3748fb14b2d07881fa6273 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 14 May 2026 19:10:06 +0200
+Subject: usb: typec: ucsi: ccg: reject firmware images without a ':' record header
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream.
+
+do_flash() locates the first .cyacd record with
+
+ p = strnchr(fw->data, fw->size, ':');
+ while (p < eof) {
+ s = strnchr(p + 1, eof - p - 1, ':');
+ ...
+ }
+
+If the firmware image contains no ':' byte, strnchr() returns NULL.
+NULL compares less than the valid kernel pointer eof, so the loop body
+runs and strnchr() is called with p + 1 == (void *)1 and a length of
+roughly (unsigned long)eof, causing a wonderful crash.
+
+The not_signed_fw fallthrough earlier in do_flash() and the chip-state
+branches in ccg_fw_update_needed() allow an unsigned blob to reach this
+loop, so a root user who can place a crafted file under /lib/firmware
+and write the do_flash sysfs attribute can trigger the oops.
+
+Bail out with -EINVAL when the initial strnchr() returns NULL.
+
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
+@@ -1243,6 +1243,11 @@ not_signed_fw:
+ *****************************************************************/
+
+ p = strnchr(fw->data, fw->size, ':');
++ if (!p) {
++ dev_err(dev, "Bad FW format: no ':' record header found\n");
++ err = -EINVAL;
++ goto release_mem;
++ }
+ while (p < eof) {
+ s = strnchr(p + 1, eof - p - 1, ':');
+
--- /dev/null
+From 167dd8d12226587ee554f520aed0256b7769cd5d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:54 +0200
+Subject: usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream.
+
+ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first
+payload VDO from data[], but unlike the equivalent handler in
+altmodes/displayport.c it does not check that count covers a VDO beyond
+the header. A header-only Configure VDM (count == 1) would read one u32
+past the caller's array.
+
+In the normal UCSI path the caller controls count, so this is hardening
+for non-standard delivery paths. NAK and bail when no configuration VDO
+is present, matching the generic DP altmode driver's existing guard.
+
+Assisted-by: gkh_clanker_t1000
+Cc: Pooja Katiyar <pooja.katiyar@intel.com>
+Cc: Johan Hovold <johan@kernel.org>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/displayport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/displayport.c
++++ b/drivers/usb/typec/ucsi/displayport.c
+@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t
+ dp->header |= VDO_CMDT(CMDT_RSP_ACK);
+ break;
+ case DP_CMD_CONFIGURE:
++ if (count < 2) {
++ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
++ break;
++ }
+ dp->data.conf = *data;
+ if (ucsi_displayport_configure(dp)) {
+ dp->header |= VDO_CMDT(CMDT_RSP_NAK);
--- /dev/null
+From 288a81a8507052bcfbf884d39a463c44c42c5fd9 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:55 +0200
+Subject: usb: typec: ucsi: validate connector number in ucsi_connector_change()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 288a81a8507052bcfbf884d39a463c44c42c5fd9 upstream.
+
+The connector number in a UCSI CCI notification is a 7-bit field
+supplied by the PPM. ucsi_connector_change() uses it to index the
+ucsi->connector[] array without checking it against the number of
+connectors the PPM reported at init time, so a buggy or malicious PPM
+(EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 /
+glink transports) can drive schedule_work() on memory past the end of
+the array.
+
+Reject connector numbers that are zero or exceed cap.num_connectors
+before dereferencing the array.
+
+Assisted-by: gkh_clanker_t1000
+Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: Benson Leung <bleung@chromium.org>
+Cc: Jameson Thies <jthies@google.com>
+Cc: Nathan Rebello <nathan.c.rebello@gmail.com>
+Cc: Johan Hovold <johan@kernel.org>
+Cc: Pooja Katiyar <pooja.katiyar@intel.com>
+Cc: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Cc: Abel Vesa <abelvesa@kernel.org>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Link: https://patch.msgid.link/2026051351-truck-steadfast-df48@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -1370,13 +1370,22 @@ out_unlock:
+ */
+ void ucsi_connector_change(struct ucsi *ucsi, u8 num)
+ {
+- struct ucsi_connector *con = &ucsi->connector[num - 1];
++ struct ucsi_connector *con;
+
+ if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) {
+ dev_dbg(ucsi->dev, "Early connector change event\n");
+ return;
+ }
+
++ if (!num || num > ucsi->cap.num_connectors) {
++ dev_warn_ratelimited(ucsi->dev,
++ "Bogus connector change on %u (max %u)\n",
++ num, ucsi->cap.num_connectors);
++ return;
++ }
++
++ con = &ucsi->connector[num - 1];
++
+ if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags))
+ schedule_work(&con->work);
+ }
--- /dev/null
+From 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 13 May 2026 17:52:48 +0200
+Subject: usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream.
+
+wcove_read_rx_buffer() copies the PD RX FIFO into the caller's
+struct pd_message with
+
+ for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++)
+ regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
+
+which has two problems:
+
+USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message
+is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed).
+The byte count latched in RXINFO is the number of bytes the port partner
+put on the wire, so a malicious partner that transmits a 31-byte frame
+can drive the loop one byte past the destination if the WCOVE BMC
+receiver does not enforce the PD object-count limit in hardware. The
+existing FIXME flagged this as unverified.
+
+Independently, regmap_read() takes an unsigned int * and stores a full
+unsigned int at the destination. Passing the byte pointer msg + i means
+each iteration writes four bytes; the high three are zero (val_bits is
+8) and are normally overwritten by the next iteration, but the final
+iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration
+already writes three zero bytes past msg, which sits on the IRQ thread's
+stack in wcove_typec_irq().
+
+Clamp the loop to sizeof(struct pd_message) and read each register into
+a local before storing only its low byte, so the copy can never exceed
+the destination regardless of what RXINFO reports.
+
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/wcove.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/wcove.c
++++ b/drivers/usb/typec/tcpm/wcove.c
+@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t
+ return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl);
+ }
+
+-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg)
++static int wcove_read_rx_buffer(struct wcove_typec *wcove,
++ struct pd_message *msg)
+ {
+- unsigned int info;
++ unsigned int info, val, len;
++ u8 *buf = (u8 *)msg;
+ int ret;
+ int i;
+
+@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w
+ if (ret)
+ return ret;
+
+- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */
++ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg));
+
+- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) {
+- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i);
++ for (i = 0; i < len; i++) {
++ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val);
+ if (ret)
+ return ret;
++ buf[i] = val;
+ }
+
+ return regmap_write(wcove->regmap, USBC_RXSTATUS,
projects / thirdparty / kernel / stable-queue.git / commitdiff
