From: Greg Kroah-Hartman Date: Thu, 4 Jun 2026 08:14:56 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=0ad0f62d7dd6b35ae87a9ff9e4519044ecbc3e79;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch --- diff --git a/queue-5.10/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch b/queue-5.10/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch new file mode 100644 index 0000000000..16c166bd6f --- /dev/null +++ b/queue-5.10/bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch @@ -0,0 +1,57 @@ +From 82855073c1081732656734b74d7d1d5e4cfd0da7 Mon Sep 17 00:00:00 2001 +From: Shuai Zhang +Date: Thu, 21 May 2026 13:25:47 +0800 +Subject: Bluetooth: btusb: Allow firmware re-download when version matches + +From: Shuai Zhang + +commit 82855073c1081732656734b74d7d1d5e4cfd0da7 upstream. + +The Bluetooth host decides whether to download firmware by reading the +controller firmware download completion flag and firmware version +information. + +If a USB error occurs during the firmware download process (for example +due to a USB disconnect), the download is aborted immediately. An +incomplete firmware transfer does not cause the controller to set the +download completion flag, but the firmware version information may be +updated at an early stage of the download process. + +In this case, after USB reconnection, the host attempts to re-download +the firmware because the download completion flag is not set. However, +since the controller reports the same firmware version as the target +firmware, the download is skipped. This ultimately results in the +firmware not being properly updated on the controller. + +This change removes the restriction that skips firmware download when +the versions are equal. It covers scenarios where the USB connection +can be disconnected at any time and ensures that firmware download can +be retriggered after USB reconnection, allowing the Bluetooth firmware +to be correctly and completely updated. + +Fixes: 3267c884cefa ("Bluetooth: btusb: Add support for QCA ROME chipset family") +Cc: stable@vger.kernel.org +Signed-off-by: Shuai Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -3744,7 +3744,13 @@ static int btusb_setup_qca_load_rampatch + "firmware rome 0x%x build 0x%x", + rver_rom, rver_patch, ver_rom, ver_patch); + +- if (rver_rom != ver_rom || rver_patch <= ver_patch) { ++ /* Allow rampatch when the patch version equals the firmware version. ++ * A firmware download may be aborted by a transient USB error (e.g. ++ * disconnect) after the controller updates version info but before ++ * completion. ++ * Allowing equal versions enables re-flashing during recovery. ++ */ ++ if (rver_rom != ver_rom || rver_patch < ver_patch) { + bt_dev_err(hdev, "rampatch file version did not match with firmware"); + err = -EINVAL; + goto done; diff --git a/queue-5.10/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch b/queue-5.10/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch new file mode 100644 index 0000000000..043b0c1e9e --- /dev/null +++ b/queue-5.10/iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch @@ -0,0 +1,52 @@ +From c9d8e9adaa63150ef7e833480b799d0bab83a276 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:40:48 +0200 +Subject: iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit c9d8e9adaa63150ef7e833480b799d0bab83a276 upstream. + +The tagged FIFO path declares iio_buff on the stack with __aligned(8) +but no initializer, but there is a hole in the structure, which will +then leak to userspace as ST_LSM6DSX_SAMPLE_SIZE bytes (6) will be +copied, but the space between that and the timestamp are not +initialized. + +Commit c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak +issues") moved the untagged FIFO path to a kzalloc'd buffer in hw->scan, +but for the tagged path it only added the alignment qualifier and not +the initializer :( + +Fix this by just zero-initializing the structure on the stack. + +Cc: Lorenzo Bianconi +Cc: Jonathan Cameron +Cc: David Lechner +Cc: "Nuno Sá" +Cc: Andy Shevchenko +Fixes: c14edb4d0bdc ("iio:imu:st_lsm6dsx Fix alignment and data leak issues") +Cc: stable +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: David Lechner +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c +@@ -585,7 +585,7 @@ int st_lsm6dsx_read_tagged_fifo(struct s + * must be passed a buffer that is aligned to 8 bytes so + * as to allow insertion of a naturally aligned timestamp. + */ +- u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8); ++ u8 iio_buff[ST_LSM6DSX_IIO_BUFF_SIZE] __aligned(8) = { }; + u8 tag; + bool reset_ts = false; + int i, err, read_len; diff --git a/queue-5.10/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch b/queue-5.10/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch new file mode 100644 index 0000000000..33b71d44f7 --- /dev/null +++ b/queue-5.10/input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch @@ -0,0 +1,35 @@ +From dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Fri, 22 May 2026 10:54:04 +0200 +Subject: Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() + +From: Thomas Fourier + +commit dab48a7e74e6a394f3aa0461a2b1fb0c7b38fcb8 upstream. + +The input buffer size is pcu->max_in_size, but pcu->max_out_size is +passed to usb_free_coherent(). + +Change size to match the allocation size. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260522085412.45430-2-fourier.thomas@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/ims-pcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1598,7 +1598,7 @@ static void ims_pcu_buffers_free(struct + usb_kill_urb(pcu->urb_in); + usb_free_urb(pcu->urb_in); + +- usb_free_coherent(pcu->udev, pcu->max_out_size, ++ usb_free_coherent(pcu->udev, pcu->max_in_size, + pcu->urb_in_buf, pcu->read_dma); + + kfree(pcu->urb_out_buf); diff --git a/queue-5.10/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch b/queue-5.10/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch new file mode 100644 index 0000000000..f2d2a87cc2 --- /dev/null +++ b/queue-5.10/input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch @@ -0,0 +1,61 @@ +From 2905281cbda52ec9df540113b35b835feb5fafd3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 20 Apr 2026 18:00:27 +0200 +Subject: Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit 2905281cbda52ec9df540113b35b835feb5fafd3 upstream. + +nexio_read_data() pulls data_len and x_len from a packed __be16 header +in the device's interrupt packet and then walks packet->data[0..x_len) +and packet->data[x_len..data_len) comparing each byte against a +threshold. + +Both fields are 16-bit on the wire (max 65535). The existing +adjustments shave at most 0x100 / 0x80 off, so the loop bound can still +reach roughly 0xfeff. The URB transfer buffer for NEXIO is rept_size +(1024) bytes from usb_alloc_coherent(), with the first 7 occupied by the +packed header — so packet->data[] has 1017 valid bytes. read_data() +callbacks are not given urb->actual_length, and nothing else bounds the +walk. + +A device that lies about its length can get a ~64 KiB out-of-bounds read +past the coherent DMA allocation. The first index whose byte exceeds +NEXIO_THRESHOLD lands in begin_x / begin_y and from there into the +reported touch coordinates, so adjacent kernel memory contents leak to +userspace as ABS_X / ABS_Y events. Far enough out, the read can also +hit an unmapped page and fault. + +Fix this all by clamping data_len to the buffer's data[] capacity and +x_len to data_len. + +Cc: Dmitry Torokhov +Fixes: 5197424cdccc ("Input: usbtouchscreen - add NEXIO (or iNexio) support") +Cc: stable +Assisted-by: gkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026042026-chlorine-epidermis-fd6d@gregkh +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/usbtouchscreen.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/input/touchscreen/usbtouchscreen.c ++++ b/drivers/input/touchscreen/usbtouchscreen.c +@@ -1060,6 +1060,11 @@ static int nexio_read_data(struct usbtou + if (x_len > 0xff) + x_len -= 0x80; + ++ if (data_len > usbtouch->data_size - sizeof(*packet)) ++ data_len = usbtouch->data_size - sizeof(*packet); ++ if (x_len > data_len) ++ x_len = data_len; ++ + /* send ACK */ + ret = usb_submit_urb(priv->ack, GFP_ATOMIC); + diff --git a/queue-5.10/series b/queue-5.10/series index 7512e7799b..731a16e628 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,3 +1,4 @@ +input-usbtouchscreen-clamp-nexio-data_len-x_len-to-urb-buffer-size.patch alsa-usb-audio-fix-null-pointer-dereference-on-point.patch net-sched-cls_fw-fix-null-dereference-of-old-filters.patch phy-renesas-rcar-gen3-usb2-fix-the-use-of-msleep-dur.patch @@ -41,3 +42,11 @@ batman-adv-bla-avoid-double-decrement-of-bla.num_req.patch revert-rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch rdma-rxe-fix-double-free-in-rxe_srq_from_init.patch-26331 smb-client-fix-smbdirect_recv_io-leak-in-smbd_negoti.patch +iio-imu-st_lsm6dsx-fix-stack-leak-in-tagged-fifo-buffer.patch +usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch +usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch +usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch +usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch +usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch +input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch +bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch diff --git a/queue-5.10/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch b/queue-5.10/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch new file mode 100644 index 0000000000..915d2304bd --- /dev/null +++ b/queue-5.10/usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch @@ -0,0 +1,49 @@ +From 438061ed1ad85e6743e2dce826671772d81089ec Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 22 May 2026 16:22:18 +0200 +Subject: USB: serial: safe_serial: fix memory corruption with small endpoint + +From: Johan Hovold + +commit 438061ed1ad85e6743e2dce826671772d81089ec upstream. + +Make sure that the bulk-out buffer size is at least eight bytes to avoid +user-controlled slab corruption in "safe" mode should a malicious device +report a smaller size. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/safe_serial.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/safe_serial.c ++++ b/drivers/usb/serial/safe_serial.c +@@ -259,6 +259,7 @@ static int safe_prepare_write_buffer(str + static int safe_startup(struct usb_serial *serial) + { + struct usb_interface_descriptor *desc; ++ int bulk_out_size; + + if (serial->dev->descriptor.bDeviceClass != CDC_DEVICE_CLASS) + return -ENODEV; +@@ -279,6 +280,16 @@ static int safe_startup(struct usb_seria + default: + return -EINVAL; + } ++ ++ /* ++ * The bulk-out buffer needs to be large enough for the two-byte ++ * trailer in safe mode, but assume anything smaller than eight bytes ++ * is broken. ++ */ ++ bulk_out_size = serial->port[0]->bulk_out_size; ++ if (bulk_out_size > 0 && bulk_out_size < 8) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-5.10/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch b/queue-5.10/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch new file mode 100644 index 0000000000..2b943564c3 --- /dev/null +++ b/queue-5.10/usb-typec-altmodes-displayport-validate-count-before-reading-status-update-vdo.patch @@ -0,0 +1,35 @@ +From 8a18f896e667df491331371b55d4ad644dc51d60 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:49 +0200 +Subject: usb: typec: altmodes/displayport: validate count before reading Status Update VDO + +From: Greg Kroah-Hartman + +commit 8a18f896e667df491331371b55d4ad644dc51d60 upstream. + +A broken/malicious device can send the incorrect count for a status +update VDO, which will cause the kernel to read uninitialized stack data +and send it off elsewhere. + +Fix this up by correctly verifying the count for the update object. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051350-reacquire-sculpture-4244@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -292,6 +292,8 @@ static int dp_altmode_vdm(struct typec_a + } + break; + case DP_CMD_STATUS_UPDATE: ++ if (count < 2) ++ break; + dp->data.status = *vdo; + ret = dp_altmode_status_update(dp); + break; diff --git a/queue-5.10/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch b/queue-5.10/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch new file mode 100644 index 0000000000..3a9235e5d2 --- /dev/null +++ b/queue-5.10/usb-typec-ucsi-ccg-reject-firmware-images-without-a-record-header.patch @@ -0,0 +1,54 @@ +From d7486952bf74e546ee3748fb14b2d07881fa6273 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 14 May 2026 19:10:06 +0200 +Subject: usb: typec: ucsi: ccg: reject firmware images without a ':' record header + +From: Greg Kroah-Hartman + +commit d7486952bf74e546ee3748fb14b2d07881fa6273 upstream. + +do_flash() locates the first .cyacd record with + + p = strnchr(fw->data, fw->size, ':'); + while (p < eof) { + s = strnchr(p + 1, eof - p - 1, ':'); + ... + } + +If the firmware image contains no ':' byte, strnchr() returns NULL. +NULL compares less than the valid kernel pointer eof, so the loop body +runs and strnchr() is called with p + 1 == (void *)1 and a length of +roughly (unsigned long)eof, causing a wonderful crash. + +The not_signed_fw fallthrough earlier in do_flash() and the chip-state +branches in ccg_fw_update_needed() allow an unsigned blob to reach this +loop, so a root user who can place a crafted file under /lib/firmware +and write the do_flash sysfs attribute can trigger the oops. + +Bail out with -EINVAL when the initial strnchr() returns NULL. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Cc: Heikki Krogerus +Reviewed-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026051405-posture-shrill-7884@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_ccg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi_ccg.c ++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c +@@ -1156,6 +1156,11 @@ not_signed_fw: + *****************************************************************/ + + p = strnchr(fw->data, fw->size, ':'); ++ if (!p) { ++ dev_err(dev, "Bad FW format: no ':' record header found\n"); ++ err = -EINVAL; ++ goto release_mem; ++ } + while (p < eof) { + s = strnchr(p + 1, eof - p - 1, ':'); + diff --git a/queue-5.10/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch b/queue-5.10/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch new file mode 100644 index 0000000000..bd2e7dd9ac --- /dev/null +++ b/queue-5.10/usb-typec-ucsi-displayport-nak-dp_cmd_configure-without-a-payload-vdo.patch @@ -0,0 +1,43 @@ +From 167dd8d12226587ee554f520aed0256b7769cd5d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:54 +0200 +Subject: usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO + +From: Greg Kroah-Hartman + +commit 167dd8d12226587ee554f520aed0256b7769cd5d upstream. + +ucsi_displayport_vdm() handles a DP_CMD_CONFIGURE by copying the first +payload VDO from data[], but unlike the equivalent handler in +altmodes/displayport.c it does not check that count covers a VDO beyond +the header. A header-only Configure VDM (count == 1) would read one u32 +past the caller's array. + +In the normal UCSI path the caller controls count, so this is hardening +for non-standard delivery paths. NAK and bail when no configuration VDO +is present, matching the generic DP altmode driver's existing guard. + +Assisted-by: gkh_clanker_t1000 +Cc: Pooja Katiyar +Cc: Johan Hovold +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051351-vividly-flattered-eb3d@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/displayport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/typec/ucsi/displayport.c ++++ b/drivers/usb/typec/ucsi/displayport.c +@@ -211,6 +211,10 @@ static int ucsi_displayport_vdm(struct t + dp->header |= VDO_CMDT(CMDT_RSP_ACK); + break; + case DP_CMD_CONFIGURE: ++ if (count < 2) { ++ dp->header |= VDO_CMDT(CMDT_RSP_NAK); ++ break; ++ } + dp->data.conf = *data; + if (ucsi_displayport_configure(dp)) { + dp->header |= VDO_CMDT(CMDT_RSP_NAK); diff --git a/queue-5.10/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch b/queue-5.10/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch new file mode 100644 index 0000000000..b94880a9bb --- /dev/null +++ b/queue-5.10/usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch @@ -0,0 +1,79 @@ +From 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 13 May 2026 17:52:48 +0200 +Subject: usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() + +From: Greg Kroah-Hartman + +commit 4af7ad0e6d7aa4403dbb1dac7b9659b0421efcaa upstream. + +wcove_read_rx_buffer() copies the PD RX FIFO into the caller's +struct pd_message with + + for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) + regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i); + +which has two problems: + +USBC_RXINFO_RXBYTES() is a 5-bit field (max 31) while struct pd_message +is 30 bytes (__le16 header + __le32 payload[PD_MAX_PAYLOAD], packed). +The byte count latched in RXINFO is the number of bytes the port partner +put on the wire, so a malicious partner that transmits a 31-byte frame +can drive the loop one byte past the destination if the WCOVE BMC +receiver does not enforce the PD object-count limit in hardware. The +existing FIXME flagged this as unverified. + +Independently, regmap_read() takes an unsigned int * and stores a full +unsigned int at the destination. Passing the byte pointer msg + i means +each iteration writes four bytes; the high three are zero (val_bits is +8) and are normally overwritten by the next iteration, but the final +iteration's high bytes are not. With RXBYTES == 30 the i == 29 iteration +already writes three zero bytes past msg, which sits on the IRQ thread's +stack in wcove_typec_irq(). + +Clamp the loop to sizeof(struct pd_message) and read each register into +a local before storing only its low byte, so the copy can never exceed +the destination regardless of what RXINFO reports. + +Assisted-by: gkh_clanker_t1000 +Cc: stable +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/2026051347-clustered-deflected-9543@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/wcove.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/usb/typec/tcpm/wcove.c ++++ b/drivers/usb/typec/tcpm/wcove.c +@@ -443,9 +443,11 @@ static int wcove_start_toggling(struct t + return regmap_write(wcove->regmap, USBC_CONTROL1, usbc_ctrl); + } + +-static int wcove_read_rx_buffer(struct wcove_typec *wcove, void *msg) ++static int wcove_read_rx_buffer(struct wcove_typec *wcove, ++ struct pd_message *msg) + { +- unsigned int info; ++ unsigned int info, val, len; ++ u8 *buf = (u8 *)msg; + int ret; + int i; + +@@ -453,12 +455,13 @@ static int wcove_read_rx_buffer(struct w + if (ret) + return ret; + +- /* FIXME: Check that USBC_RXINFO_RXBYTES(info) matches the header */ ++ len = min(USBC_RXINFO_RXBYTES(info), sizeof(*msg)); + +- for (i = 0; i < USBC_RXINFO_RXBYTES(info); i++) { +- ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, msg + i); ++ for (i = 0; i < len; i++) { ++ ret = regmap_read(wcove->regmap, USBC_RX_DATA + i, &val); + if (ret) + return ret; ++ buf[i] = val; + } + + return regmap_write(wcove->regmap, USBC_RXSTATUS,