On Wed, May 13, 2026 at 05:52:55PM +0200, Greg Kroah-Hartman wrote: > The connector number in a UCSI CCI notification is a 7-bit field > supplied by the PPM. ucsi_connector_change() uses it to index the > ucsi->connector[] array without checking it against the number of > connectors the PPM reported at init time, so a buggy or malicious PPM > (EC firmware, or an I2C-attached UCSI controller on the ccg / stm32g0 / > glink transports) can drive schedule_work() on memory past the end of > the array. > > Reject connector numbers that are zero or exceed cap.num_connectors > before dereferencing the array. > > Assisted-by: gkh_clanker_t1000 > Cc: Heikki Krogerus > Cc: Benson Leung > Cc: Jameson Thies > Cc: Nathan Rebello > Cc: Johan Hovold > Cc: Pooja Katiyar > Cc: Hsin-Te Yuan > Cc: Abel Vesa > Cc: stable > Signed-off-by: Greg Kroah-Hartman Reviewed-by: Benson Leung > --- > drivers/usb/typec/ucsi/ucsi.c | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index 5b7ad9e99cb9..539dc706798d 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -1380,13 +1380,22 @@ static void ucsi_handle_connector_change(struct work_struct *work) > */ > void ucsi_connector_change(struct ucsi *ucsi, u8 num) > { > - struct ucsi_connector *con = &ucsi->connector[num - 1]; > + struct ucsi_connector *con; > > if (!(ucsi->ntfy & UCSI_ENABLE_NTFY_CONNECTOR_CHANGE)) { > dev_dbg(ucsi->dev, "Early connector change event\n"); > return; > } > > + if (!num || num > ucsi->cap.num_connectors) { > + dev_warn_ratelimited(ucsi->dev, > + "Bogus connector change on %u (max %u)\n", > + num, ucsi->cap.num_connectors); > + return; > + } > + > + con = &ucsi->connector[num - 1]; > + > if (!test_and_set_bit(EVENT_PENDING, &ucsi->flags)) > schedule_work(&con->work); > } > -- > 2.54.0 >