public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/1] Backport request: Fix reading issue on mcp2221
@ 2025-10-07 13:08 Romain Sioen
  2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen
  0 siblings, 1 reply; 7+ messages in thread
From: Romain Sioen @ 2025-10-07 13:08 UTC (permalink / raw)
  To: stable; +Cc: contact, jikos, Romain Sioen

Hi maintainers,

Please consider backporting the following patches to the stable trees.
These patches fix a significant reading issue with mcp2221 on i2c eeprom.
This request is following the one I did previously to fix hid-mcp2221
in previous LTS versions.

I have confirmed that the patches applie cleanly and build successfully
against v6.12, v6.6, v6.1, v5.15 and v5.10 stable branches.

Thanks,

Romain

Arnaud Lecomte (1):
  hid: fix I2C read buffer overflow in raw_event() for mcp2221

 drivers/hid/hid-mcp2221.c | 4 ++++
 1 file changed, 4 insertions(+)

-- 
2.48.1


^ permalink raw reply	[flat|nested] 7+ messages in thread
* [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
  2025-10-07 13:08 [PATCH 0/1] Backport request: Fix reading issue on mcp2221 Romain Sioen
@ 2025-10-07 13:08 ` Romain Sioen
  2025-10-07 13:16   ` Greg KH
  0 siblings, 1 reply; 7+ messages in thread
From: Romain Sioen @ 2025-10-07 13:08 UTC (permalink / raw)
  To: stable; +Cc: contact, jikos, syzbot+52c1a7d3e5b361ccd346, Romain Sioen

From: Arnaud Lecomte <contact@arnaud-lcm.com>

[ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]

As reported by syzbot, mcp2221_raw_event lacked
validation of incoming I2C read data sizes, risking buffer
overflows in mcp->rxbuf during multi-part transfers.
As highlighted in the DS20005565B spec, p44, we have:
"The number of read-back data bytes to follow in this packet:
from 0 to a maximum of 60 bytes of read-back bytes."
This patch enforces we don't exceed this limit.

Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
[romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag]
Signed-off-by: Romain Sioen <romain.sioen@microchip.com>
---
 drivers/hid/hid-mcp2221.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c
index 0f93c22a479f..83941b916cd6 100644
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -814,6 +814,10 @@ static int mcp2221_raw_event(struct hid_device *hdev,
 			}
 			if (data[2] == MCP2221_I2C_READ_COMPL ||
 			    data[2] == MCP2221_I2C_READ_PARTIAL) {
+				if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) {
+					mcp->status = -EINVAL;
+					break;
+				}
 				buf = mcp->rxbuf;
 				memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]);
 				mcp->rxbuf_idx = mcp->rxbuf_idx + data[3];
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
  2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen
@ 2025-10-07 13:16   ` Greg KH
  2025-10-07 15:23     ` Lecomte, Arnaud
  0 siblings, 1 reply; 7+ messages in thread
From: Greg KH @ 2025-10-07 13:16 UTC (permalink / raw)
  To: Romain Sioen; +Cc: stable, contact, jikos, syzbot+52c1a7d3e5b361ccd346

On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
> From: Arnaud Lecomte <contact@arnaud-lcm.com>
> 
> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
> 
> As reported by syzbot, mcp2221_raw_event lacked
> validation of incoming I2C read data sizes, risking buffer
> overflows in mcp->rxbuf during multi-part transfers.
> As highlighted in the DS20005565B spec, p44, we have:
> "The number of read-back data bytes to follow in this packet:
> from 0 to a maximum of 60 bytes of read-back bytes."
> This patch enforces we don't exceed this limit.
> 
> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
> Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag]

I don't see a fixes tag :(

And is this only for 6.12 and 6.16?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
  2025-10-07 13:16   ` Greg KH
@ 2025-10-07 15:23     ` Lecomte, Arnaud
  2025-10-07 15:26       ` Greg KH
  0 siblings, 1 reply; 7+ messages in thread
From: Lecomte, Arnaud @ 2025-10-07 15:23 UTC (permalink / raw)
  To: Greg KH, Romain Sioen; +Cc: stable, jikos, syzbot+52c1a7d3e5b361ccd346


On 07/10/2025 15:16, Greg KH wrote:
> On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
>> From: Arnaud Lecomte <contact@arnaud-lcm.com>
>>
>> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
>>
>> As reported by syzbot, mcp2221_raw_event lacked
>> validation of incoming I2C read data sizes, risking buffer
>> overflows in mcp->rxbuf during multi-part transfers.
>> As highlighted in the DS20005565B spec, p44, we have:
>> "The number of read-back data bytes to follow in this packet:
>> from 0 to a maximum of 60 bytes of read-back bytes."
>> This patch enforces we don't exceed this limit.
>>
>> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
>> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
>> Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
>> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
>> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag]
> I don't see a fixes tag :(
Hey, I am the author of the patch. I can find the fixes tag if this 
looks good to you.
Thanks,

Arnaud

> And is this only for 6.12 and 6.16?
>
> thanks,
>
> greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
  2025-10-07 15:23     ` Lecomte, Arnaud
@ 2025-10-07 15:26       ` Greg KH
  2025-10-08  6:50         ` Lecomte, Arnaud
  0 siblings, 1 reply; 7+ messages in thread
From: Greg KH @ 2025-10-07 15:26 UTC (permalink / raw)
  To: Lecomte, Arnaud; +Cc: Romain Sioen, stable, jikos, syzbot+52c1a7d3e5b361ccd346

On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote:
> 
> On 07/10/2025 15:16, Greg KH wrote:
> > On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
> > > From: Arnaud Lecomte <contact@arnaud-lcm.com>
> > > 
> > > [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
> > > 
> > > As reported by syzbot, mcp2221_raw_event lacked
> > > validation of incoming I2C read data sizes, risking buffer
> > > overflows in mcp->rxbuf during multi-part transfers.
> > > As highlighted in the DS20005565B spec, p44, we have:
> > > "The number of read-back data bytes to follow in this packet:
> > > from 0 to a maximum of 60 bytes of read-back bytes."
> > > This patch enforces we don't exceed this limit.
> > > 
> > > Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
> > > Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> > > Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
> > > Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
> > > Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> > > [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag]
> > I don't see a fixes tag :(
> Hey, I am the author of the patch. I can find the fixes tag if this looks
> good to you.

There's no need for a fixes tag, just let us know where you want this
backported to.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
  2025-10-07 15:26       ` Greg KH
@ 2025-10-08  6:50         ` Lecomte, Arnaud
  2025-10-08  8:22           ` romain.sioen
  0 siblings, 1 reply; 7+ messages in thread
From: Lecomte, Arnaud @ 2025-10-08  6:50 UTC (permalink / raw)
  To: Greg KH; +Cc: Romain Sioen, stable, jikos, syzbot+52c1a7d3e5b361ccd346


On 07/10/2025 17:26, Greg KH wrote:
> On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote:
>> On 07/10/2025 15:16, Greg KH wrote:
>>> On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
>>>> From: Arnaud Lecomte <contact@arnaud-lcm.com>
>>>>
>>>> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
>>>>
>>>> As reported by syzbot, mcp2221_raw_event lacked
>>>> validation of incoming I2C read data sizes, risking buffer
>>>> overflows in mcp->rxbuf during multi-part transfers.
>>>> As highlighted in the DS20005565B spec, p44, we have:
>>>> "The number of read-back data bytes to follow in this packet:
>>>> from 0 to a maximum of 60 bytes of read-back bytes."
>>>> This patch enforces we don't exceed this limit.
>>>>
>>>> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
>>>> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
>>>> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
>>>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
>>>> Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com
>>>> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
>>>> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag]
>>> I don't see a fixes tag :(
>> Hey, I am the author of the patch. I can find the fixes tag if this looks
>> good to you.
> There's no need for a fixes tag, just let us know where you want this
> backported to.
The ones, you already did the back-port to, seems good enough for me,
Thanks Greg :)
> thanks,
>
> greg k-h
Arnaud

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221
  2025-10-08  6:50         ` Lecomte, Arnaud
@ 2025-10-08  8:22           ` romain.sioen
  0 siblings, 0 replies; 7+ messages in thread
From: romain.sioen @ 2025-10-08  8:22 UTC (permalink / raw)
  To: Lecomte, Arnaud, Greg KH, Romain Sioen - M70749,
	stable@vger.kernel.org, jikos@kernel.org,
	syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com

Hi all,

On 10/8/25 8:50 AM, "Lecomte, Arnaud" <contact@arnaud-lcm.com> wrote:
> EXTERNAL EMAIL: Do not click links or open attachments unless you know 
> the content is safe
> 
> On 07/10/2025 17:26, Greg KH wrote:
> > On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote:
> >> On 07/10/2025 15:16, Greg KH wrote:
> >>> On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote:
> >>>> From: Arnaud Lecomte <contact@arnaud-lcm.com>
> >>>>
> >>>> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ]
> >>>>
> >>>> As reported by syzbot, mcp2221_raw_event lacked
> >>>> validation of incoming I2C read data sizes, risking buffer
> >>>> overflows in mcp->rxbuf during multi-part transfers.
> >>>> As highlighted in the DS20005565B spec, p44, we have:
> >>>> "The number of read-back data bytes to follow in this packet:
> >>>> from 0 to a maximum of 60 bytes of read-back bytes."
> >>>> This patch enforces we don't exceed this limit.
> >>>>
> >>>> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> >>>> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346
> >>>> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com
> >>>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
> >>>> Link: https://patch.msgid.link/20250726220931.7126-1- 
> >>>> contact@arnaud-lcm.com
> >>>> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
> >>>> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add 
> >>>> "Fixes" tag]
> >>> I don't see a fixes tag :(
> >> Hey, I am the author of the patch. I can find the fixes tag if this 
> >> looks
> >> good to you.
> > There's no need for a fixes tag, just let us know where you want this
> > backported to.
> The ones, you already did the back-port to, seems good enough for me,
> Thanks Greg :)
> > thanks,
> >
> > greg k-h
> Arnaud
> 

Sorry for the confusion, I didn't put a tag indeed. I just wanted to backport this
patch to previous LTS versions 5.10, 5.15, 6.1, 6.6 and 6.12 as we need it to solve 
a bug. I tested it in all these stable versions and can confirm that it compiles correctly.
This is in the continuity of a backport request I made 1 month ago which has been accepted
and merged.

Thank you for your help,

Romain

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-10-08  8:23 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-07 13:08 [PATCH 0/1] Backport request: Fix reading issue on mcp2221 Romain Sioen
2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen
2025-10-07 13:16   ` Greg KH
2025-10-07 15:23     ` Lecomte, Arnaud
2025-10-07 15:26       ` Greg KH
2025-10-08  6:50         ` Lecomte, Arnaud
2025-10-08  8:22           ` romain.sioen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox