From: Greg Kroah-Hartman Date: Thu, 4 Jun 2026 08:17:40 +0000 (+0200) Subject: 7.0-stable patches X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=1d5aa59513bc2589ecc5558a988ab7220bba8e90;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch iio-imu-adis16550-fix-stack-leak-in-trigger-handler.patch iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch iio-pressure-bmp280-fix-stack-leak-in-bmp580-trigger-handler.patch input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch media-rc-igorplugusb-fix-control-request-setup-packet.patch usb-serial-cypress_m8-fix-memory-corruption-with-small-endpoint.patch usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch usb-typec-tcpm-bound-altmode_desc-per-iteration-in-svdm_consume_modes.patch usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch usb-typec-tcpm-validate-vdo-count-in-discover-identity-ack-handlers.patch usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch --- diff --git a/queue-7.0/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch b/queue-7.0/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch new file mode 100644 index 0000000000..d6a780d9a9 --- /dev/null +++ b/queue-7.0/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch @@ -0,0 +1,57 @@ +From 82855073c1081732656734b74d7d1d5e4cfd0da7 Mon Sep 17 00:00:00 2001 +From: Shuai Zhang +Date: Thu, 21 May 2026 13:25:47 +0800 +Subject: Bluetooth: btusb: Allow firmware re-download when version matches + +From: Shuai Zhang + +commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream. + +The Bluetooth host decides whether to download firmware by reading the +controller firmware download completion flag and firmware version +information. + +If a USB error occurs during the firmware download process (for example +due to a USB disconnect), the download is aborted immediately. An +incomplete firmware transfer does not cause the controller to set the +download completion flag, but the firmware version information may be +updated at an early stage of the download process. + +In this case, after USB reconnection, the host attempts to re-download +the firmware because the download completion flag is not set. However, +since the controller reports the same firmware version as the target +firmware, the download is skipped. This ultimately results in the +firmware not being properly updated on the controller. + +This change removes the restriction that skips firmware download when +the versions are equal. It covers scenarios where the USB connection +can be disconnected at any time and ensures that firmware download can +be retriggered after USB reconnection, allowing the Bluetooth firmware +to be correctly and completely updated. + +Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3511,7 +3511,13 @@ static int btusb_setup_qca_load_rampatch + "firmware rome 0x%x build 0x%x", + rver_rom, rver_patch, ver_rom, ver_patch); + +- if (rver_rom != ver_rom || rver_patch <= ver_patch) { ++ /* Allow rampatch when the patch version equals the firmware version. ++ * A firmware download may be aborted by a transient USB error (e.g. ++ * disconnect) after the controller updates version info but before ++ * completion. ++ * Allowing equal versions enables re-flashing during recovery. ++ */ ++ if (rver_rom != ver_rom || rver_patch < ver_patch) { + bt_dev_err(hdev, "rampatch file version did not match with firmware"); + err = -EINVAL; + goto done; diff --git a/queue-7.0/hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch b/queue-7.0/hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch new file mode 100644 index 0000000000..b8514cdb80 --- /dev/null +++ b/queue-7.0/hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch @@ -0,0 +1,48 @@ +From 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd Mon Sep 17 00:00:00 2001 +From: hlleng +Date: Tue, 12 May 2026 09:57:37 +0800 +Subject: HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse + +From: hlleng + +commit 07466fc91c55532edcfb5c6a7ccd2ea52728d6bd upstream. + +The SIGMACHIP USB mouse with VID/PID 1c4f:0034 can disconnect and +re-enumerate repeatedly after it has been enumerated if its interrupt +endpoint is not continuously polled. + +This was observed with the device reporting itself as "SIGMACHIP Usb +Mouse". Keeping the input event device open avoids the disconnects. + +Add HID_QUIRK_ALWAYS_POLL for this device so the HID core keeps polling +it even when there is no userspace input consumer. + +Cc: stable@vger.kernel.org +Signed-off-by: hlleng +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1261,6 +1261,7 @@ + + #define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f + #define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002 ++#define USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE 0x0034 + #define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD2 0x0059 + + #define USB_VENDOR_ID_SIGMATEL 0x066F +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -186,6 +186,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD), HID_QUIRK_NO_INIT_REPORTS }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_USB_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS1030_TOUCH), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_SIS_TOUCH, USB_DEVICE_ID_SIS817_TOUCH), HID_QUIRK_NOGET }, diff --git a/queue-7.0/iio-imu-adis16550-fix-stack-leak-in-trigger-handler.patch b/queue-7.0/iio-imu-adis16550-fix-stack-leak-in-trigger-handler.patch new file mode 100644 index 0000000000..24ee0c6508 --- /dev/null +++ b/queue-7.0/iio-imu-adis16550-fix-stack-leak-in-trigger-handler.patch @@ -0,0 +1,49 @@ +From 474f8928d50b09f7dcf507049f08732640b88b49 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:40:49 +0200 +Subject: iio: imu: adis16550: fix stack leak in trigger handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit 474f8928d50b09f7dcf507049f08732640b88b49 upstream. + +adis16550_trigger_handler() declares the scan data array on the stack +without initializing it. The memcpy() at the bottom fills only the +first 28 bytes (TEMP + 6 channels of GYRO/ACCEL data), and +iio_push_to_buffers_with_timestamp() writes the s64 timestamp at the +8-byte-aligned offset 32. Bytes 28-31 remain uninitialized stack data +which leaks to userspace on ever trigger. + +Fix this all by just zero-initializing the structure on the stack. + +Cc: Lars-Peter Clausen +Cc: Michael Hennerich +Cc: Jonathan Cameron +Cc: David Lechner +Cc: "Nuno Sá" +Cc: Andy Shevchenko +Fixes: e4570f4bb231 ("iio: imu: adis16550: align buffers for timestamp") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: David Lechner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/adis16550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/adis16550.c ++++ b/drivers/iio/imu/adis16550.c +@@ -836,7 +836,7 @@ static irqreturn_t adis16550_trigger_han + u16 dummy; + bool valid; + struct iio_poll_func *pf = p; +- __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8); ++ __be32 data[ADIS16550_MAX_SCAN_DATA] __aligned(8) = { }; + struct iio_dev *indio_dev = pf->indio_dev; + struct adis16550 *st = iio_priv(indio_dev); + struct adis *adis = iio_device_get_drvdata(indio_dev); diff --git a/queue-7.0/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch b/queue-7.0/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch new file mode 100644 index 0000000000..e4e76a6ff0 --- /dev/null +++ b/queue-7.0/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch @@ -0,0 +1,52 @@ +From c9d8e9adaa63150ef7e833480b799d0bab83a276 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:40:48 +0200 +Subject: iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream. + +The tagged FIFO path declares iio_buff on the stack with __aligned(8) +but no initializer, but there is a hole in the structure, which will +then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be +copied, but the space between that and the timestamp are not +initialized. + +Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak +issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan, +but for the tagged path it only added the alignment qualifier and not +the initializer :( + +Fix this by just zero-initializing the structure on the stack. + +Cc: Lorenzo Bianconi +Cc: Jonathan Cameron +Cc: David Lechner +Cc: "Nuno Sá" +Cc: Andy Shevchenko +Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: David Lechner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +@@ -609,7 +609,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s + * must be passed a buffer that is aligned to 8 bytes so + * as to allow insertion of a naturally aligned timestamp. + */ +- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8); ++ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { }; + u8 tag; + bool reset_ts = false; + int i, err, read_len; diff --git a/queue-7.0/iio-pressure-bmp280-fix-stack-leak-in-bmp580-trigger-handler.patch b/queue-7.0/iio-pressure-bmp280-fix-stack-leak-in-bmp580-trigger-handler.patch new file mode 100644 index 0000000000..fa33a1ed87 --- /dev/null +++ b/queue-7.0/iio-pressure-bmp280-fix-stack-leak-in-bmp580-trigger-handler.patch @@ -0,0 +1,52 @@ +From 387c86b582e0782ab332e7bfcd4e6e3f93922961 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:40:47 +0200 +Subject: iio: pressure: bmp280: fix stack leak in bmp580 trigger handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit 387c86b582e0782ab332e7bfcd4e6e3f93922961 upstream. + +bmp580_trigger_handler() declares its scan buffer on the stack without +an initializer and then memcpy()s 3 bytes of 24-bit sensor data into +each 4-byte __le32 field. The high byte of comp_temp and comp_press is +left uninitialized, and the channel storagebits is 32, so two bytes of +stack are pushed to userspace per scan. + +This is a regression from when the buffer lived in the private data, the +move to a stack-local struct dropped the implicit zeroing. +bme280_trigger_handler() was fixed up to handle this bug, but this +driver was not fixed because there was no padding hole, but rather a +short-fill issue. + +Fix this all by just zero-initializing the structure on the stack. + +Cc: Jonathan Cameron +Cc: David Lechner +Cc: "Nuno Sá" +Cc: Andy Shevchenko +Fixes: 872c8014e05e ("iio: pressure: bmp280: drop sensor_data array") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: David Lechner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/bmp280-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -2616,7 +2616,7 @@ static irqreturn_t bmp580_trigger_handle + __le32 comp_temp; + __le32 comp_press; + aligned_s64 timestamp; +- } buffer; ++ } buffer = { }; + int ret; + + guard(mutex)(&data->lock); diff --git a/queue-7.0/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch b/queue-7.0/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch new file mode 100644 index 0000000000..cc66563d91 --- /dev/null +++ b/queue-7.0/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch @@ -0,0 +1,35 @@ +From dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Fri, 22 May 2026 10:54:04 +0200 +Subject: Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() + +From: Thomas Fourier + +commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream. + +The input buffer size is pcu->max_in_size, but pcu->max_out_size is +passed to usb_free_coherent(). + +Change size to match the allocation size. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/ims-pcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1604,7 +1604,7 @@ static void ims_pcu_buffers_free(struct + usb_kill_urb(pcu->urb_in); + usb_free_urb(pcu->urb_in); + +- usb_free_coherent(pcu->udev, pcu->max_out_size, ++ usb_free_coherent(pcu->udev, pcu->max_in_size, + pcu->urb_in_buf, pcu->read_dma); + + kfree(pcu->urb_out_buf); diff --git a/queue-7.0/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch b/queue-7.0/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch new file mode 100644 index 0000000000..2b1091dce6 --- /dev/null +++ b/queue-7.0/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch @@ -0,0 +1,61 @@ +From 2905281cbda52ec9df540113b35b835feb5fafd3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 20 Apr 2026 18:00:27 +0200 +Subject: Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream. + +nexio_read_data() pulls data_len and x_len from a packed __be16 header +in the device's interrupt packet and then walks packet->data[0..x_len) +and packet->data[x_len..data_len) comparing each byte against a +threshold. + +Both fields are 16-bit on the wire (max 65535). The existing +adjustments shave at most 0x100 / 0x80 off, so the loop bound can still +reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size +(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the +packed header — so packet->data[] has 1017 valid bytes. read_data() +callbacks are not given urb->actual_length, and nothing else bounds the +walk. + +A device that lies about its length can get a ~64 KiB out-of-bounds read +past the coherent DMA allocation. The first index whose byte exceeds +NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the +reported touch coordinates, so adjacent kernel memory contents leak to +userspace as ABS_X / ABS_Y events. Far enough out, the read can also +hit an unmapped page and fault. + +Fix this all by clamping data_len to the buffer's data[] capacity and +x_len to data_len. + +Cc: Dmitry Torokhov +Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support") +Cc: stable +Assisted-by: gkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/usbtouchscreen.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/input/touchscreen/usbtouchscreen.c ++++ b/drivers/input/touchscreen/usbtouchscreen.c +@@ -1070,6 +1070,11 @@ static int nexio_read_data(struct usbtou + if (x_len > 0xff) + x_len -= 0x80; + ++ if (data_len > usbtouch->data_size - sizeof(*packet)) ++ data_len = usbtouch->data_size - sizeof(*packet); ++ if (x_len > data_len) ++ x_len = data_len; ++ + /* send ACK */ + ret = usb_submit_urb(priv->ack, GFP_ATOMIC); + if (ret) diff --git a/queue-7.0/media-rc-igorplugusb-fix-control-request-setup-packet.patch b/queue-7.0/media-rc-igorplugusb-fix-control-request-setup-packet.patch new file mode 100644 index 0000000000..91e08726fe --- /dev/null +++ b/queue-7.0/media-rc-igorplugusb-fix-control-request-setup-packet.patch @@ -0,0 +1,50 @@ +From 171022c7d594c133a45f92357a2a91475edabe20 Mon Sep 17 00:00:00 2001 +From: Henri A +Date: Wed, 20 May 2026 10:25:44 -0400 +Subject: media: rc: igorplugusb: fix control request setup packet + +From: Henri A + +commit 171022c7d594c133a45f92357a2a91475edabe20 upstream. + +Commit eac69475b01f ("media: rc: igorplugusb: heed coherency +rules") changed the control request storage from an embedded struct to +an allocated pointer so it can obey DMA coherency rules. + +However, the driver still passes &ir->request to usb_fill_control_urb(). +That points the URB setup packet at the pointer field itself rather than +at the allocated struct usb_ctrlrequest. + +USB core then interprets pointer bytes as the setup packet. This can +produce an invalid bRequestType and trigger the control direction warning +reported by syzbot: + + usb 2-1: BOGUS control dir, pipe 80003580 doesn't match bRequestType 0 + +Pass ir->request itself as the setup packet. + +Fixes: eac69475b01f ("media: rc: igorplugusb: heed coherency rules") +Reported-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=11f0e4f957c7c3bf3d51 +Tested-by: syzbot+11f0e4f957c7c3bf3d51@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Assisted-by: Codex:GPT-5.5 +Signed-off-by: Henri A +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/igorplugusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/igorplugusb.c ++++ b/drivers/media/rc/igorplugusb.c +@@ -184,7 +184,7 @@ static int igorplugusb_probe(struct usb_ + if (!ir->buf_in) + goto fail; + usb_fill_control_urb(ir->urb, udev, +- usb_rcvctrlpipe(udev, 0), (uint8_t *)&ir->request, ++ usb_rcvctrlpipe(udev, 0), (uint8_t *)ir->request, + ir->buf_in, MAX_PACKET, igorplugusb_callback, ir); + + usb_make_path(udev, ir->phys, sizeof(ir->phys)); diff --git a/queue-7.0/series b/queue-7.0/series index 2a7f2629da..d6b7d8e26e 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -1,3 +1,4 @@ +input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch acpi-button-fix-acpi-gpe-handler-leak-during-removal.patch acpi-button-enable-wakeup-gpes-for-acpi-buttons-at-p.patch xfrm-move-policy_bydst-rcu-sync-from-per-netns-.exit.patch @@ -114,3 +115,20 @@ revert-x86-fpu-refine-and-simplify-the-magic-number-.patch drm-i915-psr-add-defininitions-for-intel_wa_register.patch drm-i915-psr-read-intel-dpcd-workaround-register.patch drm-i915-psr-apply-intel-dpcd-workaround-when-sdp-on.patch +iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch +iio-imu-adis16550-fix-stack-leak-in-trigger-handler.patch +iio-pressure-bmp280-fix-stack-leak-in-bmp580-trigger-handler.patch +usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch +usb-typec-tcpm-validate-vdo-count-in-discover-identity-ack-handlers.patch +usb-typec-tcpm-bound-altmode_desc-per-iteration-in-svdm_consume_modes.patch +usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch +usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch +usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch +usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch +usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch +usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch +media-rc-igorplugusb-fix-control-request-setup-packet.patch +input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch +usb-serial-cypress_m8-fix-memory-corruption-with-small-endpoint.patch +hid-quirks-add-always_poll-quirk-for-sigmachip-usb-mouse.patch +bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch diff --git a/queue-7.0/usb-serial-cypress_m8-fix-memory-corruption-with-small-endpoint.patch b/queue-7.0/usb-serial-cypress_m8-fix-memory-corruption-with-small-endpoint.patch new file mode 100644 index 0000000000..04cdc5796d --- /dev/null +++ b/queue-7.0/usb-serial-cypress_m8-fix-memory-corruption-with-small-endpoint.patch @@ -0,0 +1,39 @@ +From e1a9d791fd66ab2431b9e6f6f835823809869047 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 22 May 2026 12:16:21 +0200 +Subject: USB: serial: cypress_m8: fix memory corruption with small endpoint + +From: Johan Hovold + +commit e1a9d791fd66ab2431b9e6f6f835823809869047 upstream. + +Make sure that the interrupt-out endpoint max packet size is at least +eight bytes to avoid user-controlled slab corruption or NULL-pointer +dereference should a malicious device report a smaller size. + +Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from characteristic size") +Cc: stable@vger.kernel.org # 2.6.26 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cypress_m8.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/cypress_m8.c ++++ b/drivers/usb/serial/cypress_m8.c +@@ -445,6 +445,14 @@ static int cypress_generic_port_probe(st + return -ENODEV; + } + ++ /* ++ * The buffer must be large enough for the one or two-byte header (and ++ * following data), but assume anything smaller than eight bytes is ++ * broken. ++ */ ++ if (port->interrupt_out_size < 8) ++ return -EINVAL; ++ + priv = kzalloc_obj(struct cypress_private); + if (!priv) + return -ENOMEM; diff --git a/queue-7.0/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch b/queue-7.0/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch new file mode 100644 index 0000000000..915d2304bd --- /dev/null +++ b/queue-7.0/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch @@ -0,0 +1,49 @@ +From 438061ed1ad85e6743e2dce826671772d81089ec Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 22 May 2026 16:22:18 +0200 +Subject: USB: serial: safe_serial: fix memory corruption with small endpoint + +From: Johan Hovold + +commit 438061ed1ad85e6743e2dce826671772d81089ec upstream. + +Make sure that the bulk-out buffer size is at least eight bytes to avoid +user-controlled slab corruption in "safe" mode should a malicious device +report a smaller size. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/safe_serial.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/safe_serial.c ++++ b/drivers/usb/serial/safe_serial.c +@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str + static int safe_startup(struct usb_serial *serial) + { + struct usb_interface_descriptor *desc; ++ int bulk_out_size; + + if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS) + return -ENODEV; +@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria + default: + return -EINVAL; + } ++ ++ /* ++ * The bulk-out buffer needs to be large enough for the two-byte ++ * trailer in safe mode, but assume anything smaller than eight bytes ++ * is broken. ++ */ ++ bulk_out_size = serial->port[0]->bulk_out_size; ++ if (bulk_out_size > 0 && bulk_out_size < 8) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-7.0/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch b/queue-7.0/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch new file mode 100644 index 0000000000..4f36c8fa77 --- /dev/null +++ b/queue-7.0/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch @@ -0,0 +1,35 @@ +From 8a18f896e667df491331371b55d4ad644dc51d60 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:49 +0200 +Subject: usb: typec: altmodes/displayport: validate count before reading Status Update VDO + +From: Greg Kroah-Hartman + +commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream. + +A broken/malicious device can send the incorrect count for a status +update VDO, which will cause the kernel to read uninitialized stack data +and send it off elsewhere. + +Fix this up by correctly verifying the count for the update object. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -405,6 +405,8 @@ static int dp_altmode_vdm(struct typec_a + dp->state = DP_STATE_EXIT_PRIME; + break; + case DP_CMD_STATUS_UPDATE: ++ if (count < 2) ++ break; + dp->data.status = *vdo; + ret = dp_altmode_status_update(dp); + break; diff --git a/queue-7.0/usb-typec-tcpm-bound-altmode_desc-per-iteration-in-svdm_consume_modes.patch b/queue-7.0/usb-typec-tcpm-bound-altmode_desc-per-iteration-in-svdm_consume_modes.patch new file mode 100644 index 0000000000..cb44e1a07b --- /dev/null +++ b/queue-7.0/usb-typec-tcpm-bound-altmode_desc-per-iteration-in-svdm_consume_modes.patch @@ -0,0 +1,71 @@ +From 3389c149c68c3fea61910ad5d34f7bf3bff44e32 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:53 +0200 +Subject: usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() + +From: Greg Kroah-Hartman + +commit 3389c149c68c3fea61910ad5d34f7bf3bff44e32 upstream. + +svdm_consume_modes() checks pmdata->altmodes against the array size once +before the loop over the count, but forgot to check the bound at every +point in the loop. + +In the well-behaved SVDM discovery flow this is harmless because each of +at most SVID_DISCOVERY_MAX SVIDs contributes at most MODE_DISCOVERY_MAX +modes, exactly filling altmode_desc[ALTMODE_DISCOVERY_MAX]. But the +CMDT_RSP_ACK handler in tcpm_pd_svdm() does not correlate an incoming +ACK with any request the port actually sent. Once port->partner is set, +an unsolicited Discover Modes ACK is consumed unconditionally. A broken +or malicious port partner can therefore drive altmodes to +ALTMODE_DISCOVERY_MAX - 1 via the normal flow, and then send one extra +Discover Modes ACK with seven VDOs. Because the pre-loop check passes, +the loop could then writes up to five entries past altmode_desc[]. For +mode_data_prime the next field in struct tcpm_port is the +partner_altmode[] pointer array, which then receives partner-chosen +SVID/VDO bytes. + +Move the bound check inside the loop so the array can never be indexed +past ALTMODE_DISCOVERY_MAX regardless of how many VDOs the partner +supplies or how the function was reached. + +Assisted-by: gkh_clanker_t1000 +Cc: Badhri Jagan Sridharan +Cc: Heikki Krogerus +Cc: stable +Link: https://patch.msgid.link/2026051351-reshuffle-skillful-90af@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1845,23 +1845,19 @@ static void svdm_consume_modes(struct tc + switch (rx_sop_type) { + case TCPC_TX_SOP_PRIME: + pmdata = &port->mode_data_prime; +- if (pmdata->altmodes >= ARRAY_SIZE(port->plug_prime_altmode)) { +- /* Already logged in svdm_consume_svids() */ +- return; +- } + break; + case TCPC_TX_SOP: + pmdata = &port->mode_data; +- if (pmdata->altmodes >= ARRAY_SIZE(port->partner_altmode)) { +- /* Already logged in svdm_consume_svids() */ +- return; +- } + break; + default: + return; + } + + for (i = 1; i < cnt; i++) { ++ if (pmdata->altmodes >= ALTMODE_DISCOVERY_MAX) { ++ /* Already logged in svdm_consume_svids() */ ++ return; ++ } + paltmode = &pmdata->altmode_desc[pmdata->altmodes]; + memset(paltmode, 0, sizeof(*paltmode)); + diff --git a/queue-7.0/usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch b/queue-7.0/usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch new file mode 100644 index 0000000000..3e7efa62c1 --- /dev/null +++ b/queue-7.0/usb-typec-tcpm-tcpci_maxim-validate-header-ndo-against-rx_byte_cnt.patch @@ -0,0 +1,47 @@ +From aa2f716327be1818e1cb156da8a2844804aaec2f Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:50 +0200 +Subject: usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit aa2f716327be1818e1cb156da8a2844804aaec2f upstream. + +A broken/malicious port can transmit a CRC-valid frame whose header +advertises up to seven data objects but whose body carries fewer than +that. Check for this, and rightfully reject the message, instead of +reading from uninitialized stack memory. + +Assisted-by: gkh_clanker_t1000 +Cc: Heikki Krogerus +Cc: "André Draszik" +Cc: Badhri Jagan Sridharan +Cc: Amit Sunil Dhamne +Cc: stable +Link: https://patch.msgid.link/2026051350-sitter-canopener-9045@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpci_maxim_core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c ++++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c +@@ -186,6 +186,15 @@ static void process_rx(struct max_tcpci_ + rx_buf_ptr = rx_buf + TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET; + msg.header = cpu_to_le16(*(u16 *)rx_buf_ptr); + rx_buf_ptr = rx_buf_ptr + sizeof(msg.header); ++ ++ if (count < TCPC_RECEIVE_BUFFER_RX_BYTE_BUF_OFFSET + sizeof(msg.header) + ++ pd_header_cnt_le(msg.header) * sizeof(msg.payload[0])) { ++ max_tcpci_write16(chip, TCPC_ALERT, TCPC_ALERT_RX_STATUS); ++ dev_err(chip->dev, "Invalid TCPC_RX_BYTE_CNT %d for header cnt %d\n", ++ count, pd_header_cnt_le(msg.header)); ++ return; ++ } ++ + for (payload_index = 0; payload_index < pd_header_cnt_le(msg.header); payload_index++, + rx_buf_ptr += sizeof(msg.payload[0])) + msg.payload[payload_index] = cpu_to_le32(*(u32 *)rx_buf_ptr); diff --git a/queue-7.0/usb-typec-tcpm-validate-vdo-count-in-discover-identity-ack-handlers.patch b/queue-7.0/usb-typec-tcpm-validate-vdo-count-in-discover-identity-ack-handlers.patch new file mode 100644 index 0000000000..6823079b25 --- /dev/null +++ b/queue-7.0/usb-typec-tcpm-validate-vdo-count-in-discover-identity-ack-handlers.patch @@ -0,0 +1,55 @@ +From 8fbc349e8383125dd2d8de1c1e926279d398ab17 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:51 +0200 +Subject: usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers + +From: Greg Kroah-Hartman + +commit 8fbc349e8383125dd2d8de1c1e926279d398ab17 upstream. + +Properly validate the count passed from a device when calling +svdm_consume_identity() or svdm_consume_identity_sop_prime() as the +device-controlled value could index off of the static arrays, which +could leak data. + +Assisted-by: gkh_clanker_t1000 +Cc: Heikki Krogerus +Cc: stable +Reviewed-by: Badhri Jagan Sridharan +Link: https://patch.msgid.link/2026051350-plated-salute-0efe@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -1708,6 +1708,9 @@ static void svdm_consume_identity(struct + u32 vdo = p[VDO_INDEX_IDH]; + u32 product = p[VDO_INDEX_PRODUCT]; + ++ if (cnt <= VDO_INDEX_PRODUCT) ++ return; ++ + memset(&port->mode_data, 0, sizeof(port->mode_data)); + + port->partner_ident.id_header = vdo; +@@ -1728,6 +1731,9 @@ static void svdm_consume_identity_sop_pr + u32 product = p[VDO_INDEX_PRODUCT]; + int svdm_version; + ++ if (cnt <= VDO_INDEX_CABLE_1) ++ return; ++ + /* + * Attempt to consume identity only if cable currently is not set + */ +@@ -1751,7 +1757,7 @@ static void svdm_consume_identity_sop_pr + switch (port->negotiated_rev_prime) { + case PD_REV30: + port->cable_desc.pd_revision = 0x0300; +- if (port->cable_desc.active) ++ if (port->cable_desc.active && cnt > VDO_INDEX_CABLE_2) + port->cable_ident.vdo[1] = p[VDO_INDEX_CABLE_2]; + break; + case PD_REV20: diff --git a/queue-7.0/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch b/queue-7.0/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch new file mode 100644 index 0000000000..76d9b2e082 --- /dev/null +++ b/queue-7.0/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch @@ -0,0 +1,54 @@ +From d7486952bf74e546ee3748fb14b2d07881fa6273 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 14 May 2026 19:10:06 +0200 +Subject: usb: typec: ucsi: ccg: reject firmware images without a ':' record header + +From: Greg Kroah-Hartman + +commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream. + +do_flash() locates the first .cyacd record with + + p = strnchr(fw->data, fw->size, ':'); + while (p < eof) { + s = strnchr(p + 1, eof - p - 1, ':'); + ... + } + +If the firmware image contains no ':' byte, strnchr() returns NULL. +NULL compares less than the valid kernel pointer eof, so the loop body +runs and strnchr() is called with p + 1 == (void *)1 and a length of +roughly (unsigned long)eof, causing a wonderful crash. + +The not_signed_fw fallthrough earlier in do_flash() and the chip-state +branches in ccg_fw_update_needed() allow an unsigned blob to reach this +loop, so a root user who can place a crafted file under /lib/firmware +and write the do_flash sysfs attribute can trigger the oops. + +Bail out with -EINVAL when the initial strnchr() returns NULL. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Cc: Heikki Krogerus +Reviewed-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi_ccg.c ++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c +@@ -1243,6 +1243,11 @@ not_signed_fw: + *****************************************************************/ + + p = strnchr(fw->data, fw->size, ':'); ++ if (!p) { ++ dev_err(dev, "Bad FW format: no ':' record header found\n"); ++ err = -EINVAL; ++ goto release_mem; ++ } + while (p < eof) { + s = strnchr(p + 1, eof - p - 1, ':'); + diff --git a/queue-7.0/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch b/queue-7.0/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch new file mode 100644 index 0000000000..bb164da998 --- /dev/null +++ b/queue-7.0/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch @@ -0,0 +1,43 @@ +From 167dd8d12226587ee554f520aed0256b7769cd5d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:54 +0200 +Subject: usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO + +From: Greg Kroah-Hartman + +commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream. + +ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first +payload VDO from data[], but unlike the equivalent handler in +altmodes/displayport.c it does not check that count covers a VDO beyond +the header. A header-only Configure VDM (count == 1) would read one u32 +past the caller's array. + +In the normal UCSI path the caller controls count, so this is hardening +for non-standard delivery paths. NAK and bail when no configuration VDO +is present, matching the generic DP altmode driver's existing guard. + +Assisted-by: gkh_clanker_t1000 +Cc: Pooja Katiyar +Cc: Johan Hovold +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/typec/ucsi/displayport.c ++++ b/drivers/usb/typec/ucsi/displayport.c +@@ -240,6 +240,10 @@ static int ucsi_displayport_vdm(struct t + dp->header |= VDO_CMDT(CMDT_RSP_ACK); + break; + case DP_CMD_CONFIGURE: ++ if (count < 2) { ++ dp->header |= VDO_CMDT(CMDT_RSP_NAK); ++ break; ++ } + dp->data.conf = *data; + if (ucsi_displayport_configure(dp)) { + dp->header |= VDO_CMDT(CMDT_RSP_NAK); diff --git a/queue-7.0/usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch b/queue-7.0/usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch new file mode 100644 index 0000000000..953ce9b70b --- /dev/null +++ b/queue-7.0/usb-typec-ucsi-validate-connector-number-in-ucsi_connector_change.patch @@ -0,0 +1,65 @@ +From 288a81a8507052bcfbf884d39a463c44c42c5fd9 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:55 +0200 +Subject: usb: typec: ucsi: validate connector number in ucsi_connector_change() + +From: Greg Kroah-Hartman + +commit 288a81a8507052bcfbf884d39a463c44c42c5fd9 upstream. + +The connector number in a UCSI CCI notification is a 7-bit field +supplied by the PPM. ucsi_connector_change() uses it to index the +ucsi->connector[] array without checking it against the number of +connectors the PPM reported at init time, so a buggy or malicious PPM +(EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 / +glink transports) can drive schedule_work() on memory past the end of +the array. + +Reject connector numbers that are zero or exceed cap.num_connectors +before dereferencing the array. + +Assisted-by: gkh_clanker_t1000 +Cc: Heikki Krogerus +Cc: Benson Leung +Cc: Jameson Thies +Cc: Nathan Rebello +Cc: Johan Hovold +Cc: Pooja Katiyar +Cc: Hsin-Te Yuan +Cc: Abel Vesa +Cc: stable +Reviewed-by: Abel Vesa +Reviewed-by: Heikki Krogerus +Reviewed-by: Benson Leung +Link: https://patch.msgid.link/2026051351-truck-steadfast-df48@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -1370,13 +1370,22 @@ out_unlock: + */ + void ucsi_connector_change(struct ucsi *ucsi, u8 num) + { +- struct ucsi_connector *con = &ucsi->connector[num - 1]; ++ struct ucsi_connector *con; + + if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { + dev_dbg(ucsi->dev, "Early connector change event\n"); + return; + } + ++ if (!num || num > ucsi->cap.num_connectors) { ++ dev_warn_ratelimited(ucsi->dev, ++ "Bogus connector change on %u (max %u)\n", ++ num, ucsi->cap.num_connectors); ++ return; ++ } ++ ++ con = &ucsi->connector[num - 1]; ++ + if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags)) + schedule_work(&con->work); + } diff --git a/queue-7.0/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch b/queue-7.0/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch new file mode 100644 index 0000000000..06ddc8f643 --- /dev/null +++ b/queue-7.0/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch @@ -0,0 +1,79 @@ +From 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:48 +0200 +Subject: usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() + +From: Greg Kroah-Hartman + +commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream. + +wcove_read_rx_buffer() copies the PD RX FIFO into the caller's +struct pd_message with + + for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) + regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i); + +which has two problems: + +USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message +is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed). +The byte count latched in RXINFO is the number of bytes the port partner +put on the wire, so a malicious partner that transmits a 31-byte frame +can drive the loop one byte past the destination if the WCOVE BMC +receiver does not enforce the PD object-count limit in hardware. The +existing FIXME flagged this as unverified. + +Independently, regmap_read() takes an unsigned int * and stores a full +unsigned int at the destination. Passing the byte pointer msg + i means +each iteration writes four bytes; the high three are zero (val_bits is +8) and are normally overwritten by the next iteration, but the final +iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration +already writes three zero bytes past msg, which sits on the IRQ thread's +stack in wcove_typec_irq(). + +Clamp the loop to sizeof(struct pd_message) and read each register into +a local before storing only its low byte, so the copy can never exceed +the destination regardless of what RXINFO reports. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/wcove.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/usb/typec/tcpm/wcove.c ++++ b/drivers/usb/typec/tcpm/wcove.c +@@ -444,9 +444,11 @@ static int wcove_start_toggling(struct t + return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl); + } + +-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg) ++static int wcove_read_rx_buffer(struct wcove_typec *wcove, ++ struct pd_message *msg) + { +- unsigned int info; ++ unsigned int info, val, len; ++ u8 *buf = (u8 *)msg; + int ret; + int i; + +@@ -454,12 +456,13 @@ static int wcove_read_rx_buffer(struct w + if (ret) + return ret; + +- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */ ++ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg)); + +- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) { +- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i); ++ for (i = 0; i < len; i++) { ++ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val); + if (ret) + return ret; ++ buf[i] = val; + } + + return regmap_write(wcove->regmap, USBC_RXSTATUS,