* [PATCH 0/1] Backport request: Fix reading issue on mcp2221 @ 2025-10-07 13:08 Romain Sioen 2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen 0 siblings, 1 reply; 7+ messages in thread From: Romain Sioen @ 2025-10-07 13:08 UTC (permalink / raw) To: stable; +Cc: contact, jikos, Romain Sioen Hi maintainers, Please consider backporting the following patches to the stable trees. These patches fix a significant reading issue with mcp2221 on i2c eeprom. This request is following the one I did previously to fix hid-mcp2221 in previous LTS versions. I have confirmed that the patches applie cleanly and build successfully against v6.12, v6.6, v6.1, v5.15 and v5.10 stable branches. Thanks, Romain Arnaud Lecomte (1): hid: fix I2C read buffer overflow in raw_event() for mcp2221 drivers/hid/hid-mcp2221.c | 4 ++++ 1 file changed, 4 insertions(+) -- 2.48.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 2025-10-07 13:08 [PATCH 0/1] Backport request: Fix reading issue on mcp2221 Romain Sioen @ 2025-10-07 13:08 ` Romain Sioen 2025-10-07 13:16 ` Greg KH 0 siblings, 1 reply; 7+ messages in thread From: Romain Sioen @ 2025-10-07 13:08 UTC (permalink / raw) To: stable; +Cc: contact, jikos, syzbot+52c1a7d3e5b361ccd346, Romain Sioen From: Arnaud Lecomte <contact@arnaud-lcm.com> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ] As reported by syzbot, mcp2221_raw_event lacked validation of incoming I2C read data sizes, risking buffer overflows in mcp->rxbuf during multi-part transfers. As highlighted in the DS20005565B spec, p44, we have: "The number of read-back data bytes to follow in this packet: from 0 to a maximum of 60 bytes of read-back bytes." This patch enforces we don't exceed this limit. Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag] Signed-off-by: Romain Sioen <romain.sioen@microchip.com> --- drivers/hid/hid-mcp2221.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/hid/hid-mcp2221.c b/drivers/hid/hid-mcp2221.c index 0f93c22a479f..83941b916cd6 100644 --- a/drivers/hid/hid-mcp2221.c +++ b/drivers/hid/hid-mcp2221.c @@ -814,6 +814,10 @@ static int mcp2221_raw_event(struct hid_device *hdev, } if (data[2] == MCP2221_I2C_READ_COMPL || data[2] == MCP2221_I2C_READ_PARTIAL) { + if (!mcp->rxbuf || mcp->rxbuf_idx < 0 || data[3] > 60) { + mcp->status = -EINVAL; + break; + } buf = mcp->rxbuf; memcpy(&buf[mcp->rxbuf_idx], &data[4], data[3]); mcp->rxbuf_idx = mcp->rxbuf_idx + data[3]; -- 2.48.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen @ 2025-10-07 13:16 ` Greg KH 2025-10-07 15:23 ` Lecomte, Arnaud 0 siblings, 1 reply; 7+ messages in thread From: Greg KH @ 2025-10-07 13:16 UTC (permalink / raw) To: Romain Sioen; +Cc: stable, contact, jikos, syzbot+52c1a7d3e5b361ccd346 On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote: > From: Arnaud Lecomte <contact@arnaud-lcm.com> > > [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ] > > As reported by syzbot, mcp2221_raw_event lacked > validation of incoming I2C read data sizes, risking buffer > overflows in mcp->rxbuf during multi-part transfers. > As highlighted in the DS20005565B spec, p44, we have: > "The number of read-back data bytes to follow in this packet: > from 0 to a maximum of 60 bytes of read-back bytes." > This patch enforces we don't exceed this limit. > > Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 > Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com > Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> > Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com > Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> > [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag] I don't see a fixes tag :( And is this only for 6.12 and 6.16? thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 2025-10-07 13:16 ` Greg KH @ 2025-10-07 15:23 ` Lecomte, Arnaud 2025-10-07 15:26 ` Greg KH 0 siblings, 1 reply; 7+ messages in thread From: Lecomte, Arnaud @ 2025-10-07 15:23 UTC (permalink / raw) To: Greg KH, Romain Sioen; +Cc: stable, jikos, syzbot+52c1a7d3e5b361ccd346 On 07/10/2025 15:16, Greg KH wrote: > On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote: >> From: Arnaud Lecomte <contact@arnaud-lcm.com> >> >> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ] >> >> As reported by syzbot, mcp2221_raw_event lacked >> validation of incoming I2C read data sizes, risking buffer >> overflows in mcp->rxbuf during multi-part transfers. >> As highlighted in the DS20005565B spec, p44, we have: >> "The number of read-back data bytes to follow in this packet: >> from 0 to a maximum of 60 bytes of read-back bytes." >> This patch enforces we don't exceed this limit. >> >> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 >> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com >> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> >> Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com >> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> >> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag] > I don't see a fixes tag :( Hey, I am the author of the patch. I can find the fixes tag if this looks good to you. Thanks, Arnaud > And is this only for 6.12 and 6.16? > > thanks, > > greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 2025-10-07 15:23 ` Lecomte, Arnaud @ 2025-10-07 15:26 ` Greg KH 2025-10-08 6:50 ` Lecomte, Arnaud 0 siblings, 1 reply; 7+ messages in thread From: Greg KH @ 2025-10-07 15:26 UTC (permalink / raw) To: Lecomte, Arnaud; +Cc: Romain Sioen, stable, jikos, syzbot+52c1a7d3e5b361ccd346 On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote: > > On 07/10/2025 15:16, Greg KH wrote: > > On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote: > > > From: Arnaud Lecomte <contact@arnaud-lcm.com> > > > > > > [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ] > > > > > > As reported by syzbot, mcp2221_raw_event lacked > > > validation of incoming I2C read data sizes, risking buffer > > > overflows in mcp->rxbuf during multi-part transfers. > > > As highlighted in the DS20005565B spec, p44, we have: > > > "The number of read-back data bytes to follow in this packet: > > > from 0 to a maximum of 60 bytes of read-back bytes." > > > This patch enforces we don't exceed this limit. > > > > > > Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com > > > Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 > > > Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com > > > Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> > > > Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com > > > Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> > > > [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag] > > I don't see a fixes tag :( > Hey, I am the author of the patch. I can find the fixes tag if this looks > good to you. There's no need for a fixes tag, just let us know where you want this backported to. thanks, greg k-h ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 2025-10-07 15:26 ` Greg KH @ 2025-10-08 6:50 ` Lecomte, Arnaud 2025-10-08 8:22 ` romain.sioen 0 siblings, 1 reply; 7+ messages in thread From: Lecomte, Arnaud @ 2025-10-08 6:50 UTC (permalink / raw) To: Greg KH; +Cc: Romain Sioen, stable, jikos, syzbot+52c1a7d3e5b361ccd346 On 07/10/2025 17:26, Greg KH wrote: > On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote: >> On 07/10/2025 15:16, Greg KH wrote: >>> On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote: >>>> From: Arnaud Lecomte <contact@arnaud-lcm.com> >>>> >>>> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ] >>>> >>>> As reported by syzbot, mcp2221_raw_event lacked >>>> validation of incoming I2C read data sizes, risking buffer >>>> overflows in mcp->rxbuf during multi-part transfers. >>>> As highlighted in the DS20005565B spec, p44, we have: >>>> "The number of read-back data bytes to follow in this packet: >>>> from 0 to a maximum of 60 bytes of read-back bytes." >>>> This patch enforces we don't exceed this limit. >>>> >>>> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com >>>> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 >>>> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com >>>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> >>>> Link: https://patch.msgid.link/20250726220931.7126-1-contact@arnaud-lcm.com >>>> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> >>>> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add "Fixes" tag] >>> I don't see a fixes tag :( >> Hey, I am the author of the patch. I can find the fixes tag if this looks >> good to you. > There's no need for a fixes tag, just let us know where you want this > backported to. The ones, you already did the back-port to, seems good enough for me, Thanks Greg :) > thanks, > > greg k-h Arnaud ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 2025-10-08 6:50 ` Lecomte, Arnaud @ 2025-10-08 8:22 ` romain.sioen 0 siblings, 0 replies; 7+ messages in thread From: romain.sioen @ 2025-10-08 8:22 UTC (permalink / raw) To: Lecomte, Arnaud, Greg KH, Romain Sioen - M70749, stable@vger.kernel.org, jikos@kernel.org, syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com Hi all, On 10/8/25 8:50 AM, "Lecomte, Arnaud" <contact@arnaud-lcm.com> wrote: > EXTERNAL EMAIL: Do not click links or open attachments unless you know > the content is safe > > On 07/10/2025 17:26, Greg KH wrote: > > On Tue, Oct 07, 2025 at 05:23:17PM +0200, Lecomte, Arnaud wrote: > >> On 07/10/2025 15:16, Greg KH wrote: > >>> On Tue, Oct 07, 2025 at 03:08:11PM +0200, Romain Sioen wrote: > >>>> From: Arnaud Lecomte <contact@arnaud-lcm.com> > >>>> > >>>> [ Upstream commit b56cc41a3ae7323aa3c6165f93c32e020538b6d2 ] > >>>> > >>>> As reported by syzbot, mcp2221_raw_event lacked > >>>> validation of incoming I2C read data sizes, risking buffer > >>>> overflows in mcp->rxbuf during multi-part transfers. > >>>> As highlighted in the DS20005565B spec, p44, we have: > >>>> "The number of read-back data bytes to follow in this packet: > >>>> from 0 to a maximum of 60 bytes of read-back bytes." > >>>> This patch enforces we don't exceed this limit. > >>>> > >>>> Reported-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com > >>>> Closes: https://syzkaller.appspot.com/bug?extid=52c1a7d3e5b361ccd346 > >>>> Tested-by: syzbot+52c1a7d3e5b361ccd346@syzkaller.appspotmail.com > >>>> Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com> > >>>> Link: https://patch.msgid.link/20250726220931.7126-1- > >>>> contact@arnaud-lcm.com > >>>> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> > >>>> [romain.sioen@microchip.com: backport to stable, up to 6.12. Add > >>>> "Fixes" tag] > >>> I don't see a fixes tag :( > >> Hey, I am the author of the patch. I can find the fixes tag if this > >> looks > >> good to you. > > There's no need for a fixes tag, just let us know where you want this > > backported to. > The ones, you already did the back-port to, seems good enough for me, > Thanks Greg :) > > thanks, > > > > greg k-h > Arnaud > Sorry for the confusion, I didn't put a tag indeed. I just wanted to backport this patch to previous LTS versions 5.10, 5.15, 6.1, 6.6 and 6.12 as we need it to solve a bug. I tested it in all these stable versions and can confirm that it compiles correctly. This is in the continuity of a backport request I made 1 month ago which has been accepted and merged. Thank you for your help, Romain ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-10-08 8:23 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-10-07 13:08 [PATCH 0/1] Backport request: Fix reading issue on mcp2221 Romain Sioen 2025-10-07 13:08 ` [PATCH 1/1] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Romain Sioen 2025-10-07 13:16 ` Greg KH 2025-10-07 15:23 ` Lecomte, Arnaud 2025-10-07 15:26 ` Greg KH 2025-10-08 6:50 ` Lecomte, Arnaud 2025-10-08 8:22 ` romain.sioen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox