From nobody Sun May 24 20:33:24 2026 Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com [209.85.210.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A84832B105 for ; Thu, 21 May 2026 16:11:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379886; cv=none; b=GwuBvteqJOS+vsTeyQvpMB+SRHEoaSY+N6MmojEH8j+EELVliYYFCFxfhBGFa3454TTmUQVaGmRwqAwgGT0i8U2kvoIkX1nTPSxHop0ApijD/C/iXWV00fuiDVxpyhN8MUsYi6GgVgkswL0rbJ//QKqR12hsNEvlfDZShSgbCIM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379886; c=relaxed/simple; bh=CXPUkGuVUtzC13i75iQ+RyMF/0mJ7t8MpYUhlVe9yWE=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=QtdNX3AJDlXonw6t9b5R+aGrYiUetia4nPTD7PKQBHD6CJYJR9/6M8VY7VQgHLZKTo4lUOc9ObmHJqvJBFunFfCK2PcDvktBwDL761rCIYaCbRUhHP+UnWQp1fXUnAYbeT7ZvLuoiDirO2mm7Ffw4V9NSbKf/SIZiborwevKCVU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=JacvwJVb; arc=none smtp.client-ip=209.85.210.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JacvwJVb" Received: by mail-pf1-f196.google.com with SMTP id d2e1a72fcca58-83ec36a13e9so3063987b3a.0 for ; Thu, 21 May 2026 09:11:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779379885; x=1779984685; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9Ieus4eehn7/pRlIdrlgpShi0NYCCZx1LPn+1WPxVRc=; b=JacvwJVbCPvm8uRGJDYyTa9+rzEdzZhR3S9C01g58HGYAHnoHO8wvSBsXtI/23kw/m FfnB4NelKhHmAqoibJuOUBce2awBbl2hDqXrtN6rhsjPMtc5F63zJyqmWRAtmllrIP0e HnL5V2RtyK8MKJvaoXbU8igzrcTsA/HiZnhrAuSojYSGdc2CdbCxdLgP4cwzLu/yPBGm +Fo5TNnMLHJ4ozkReBDt7QDGUmDNUrap6ksuEkS7oLl6JlZdyk1SnDJ0gXwqa7UZfuYK 9I1sesAqzDDnkPsrZOP4hFE2qA7RhJW9J3USe32nN9cKXeLPeShcQA91z8T7FSrEnSra 6cow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779379885; x=1779984685; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=9Ieus4eehn7/pRlIdrlgpShi0NYCCZx1LPn+1WPxVRc=; b=SA02lAcuh+xoC0FUMxIAhZdy+JieVzIOOXFpEtUtD0MJdpZAf5/ANHnK9OloJ3+h5F zytoOCVs1PAf+YU/32DRmbpVyKzYDyQyVXmknG35JLLte7STEvI1awlLNRw0hd8cYcSh +3v4Nfw00piTsgHxoaIy9/otq5eV0hN1afhMV//kDv184MHmCaPZBDMhaywlZAU/qfxv QIxSFqWHAZlFyZopqQVrBzR9BmTGwwCZfTGKhCjmj+YV9I1xZao53x5k6T+W9Dhwu0jQ FrsgGjDZJ2U7wbiObQUGMtmPAIQENdGrhzzv3CpDaFu/KeDCzYpkubfGo767+cWYYqBK vpTg== X-Forwarded-Encrypted: i=1; AFNElJ9ZvKSlD9NvYrmBOgWIEP3YJ3AAyQyUdTSvEpofrDNi6m0XuUd8XObd7CjFivg8rxjsRWx1P8BF2U0T2K4=@vger.kernel.org X-Gm-Message-State: AOJu0YxT/CsSSh7RzW70ld9gstpB3AtpJfZ4BTUEyj10Fyy4dhb13+7D qnGsdyFf51+Ljqq991h8G5sybj+2rJ5tYRWjjgvYEuPMcFIGja6ZhJ5d X-Gm-Gg: Acq92OGrrOrCW+QiSZvr0xppFJcYRhWdUXTYuE13NLAGUjS+npn9i+IyvDkGN95Rq1i l0vkKex6yUeowOI1IE8UdgAeOFiES6Vbu58V/Frjp4k2GlLUvwphokvVP+2yhtsZ0Al7FTUD4nW 2AtElEqIQK6DuxLdeSgGxgBAm4+MJo2mDN6kCh5isY/AwXZL7m/WBSnSpN3T0AzqzevanQN/GzF aN9WsH65uPwAbvlq2/i7f8WbiYPI7hrMEO+ZdlFDOcFhSddo7JBnGp8C12bJi5XF98nmapnEeFQ uUbrPRXNnvcN8jjn30mAmeMfdPXZAYfD8NwuM5mtC4JIeVU6+wCS2wv6agO3XnOB8IF4gvuj0pv s9/JJQXF5t5eS3Hj6UGUFi+T/1bgzFMKZUyLDufRu7Bhh1otEbE9bbuYvlew9l+AZLK8BK1BOGS Llub+RfnRpf1UUOFvUhpVSFDuDnaHT8e8= X-Received: by 2002:a05:6a00:e0e:b0:82c:225e:63c5 with SMTP id d2e1a72fcca58-8414acda7d3mr3857016b3a.18.1779379884478; Thu, 21 May 2026 09:11:24 -0700 (PDT) Received: from localhost ([111.228.63.84]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84154dff811sm1953991b3a.38.2026.05.21.09.11.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 09:11:23 -0700 (PDT) From: Zhang Cen To: Johan Hovold , Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, zerocling0077@gmail.com, 2045gemini@gmail.com, Zhang Cen Subject: [PATCH] USB: serial: cypress_m8: validate interrupt packet headers Date: Fri, 22 May 2026 00:11:17 +0800 Message-Id: <20260521161117.3501317-1-rollkingzzc@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" cypress_read_int_callback() parses the interrupt-in buffer according to the selected Cypress packet format. Format 1 has a two-byte status/count header and format 2 has a one-byte combined status/count header. The usb-serial core sizes the interrupt-in buffer from the endpoint descriptor's wMaxPacketSize, and successful interrupt transfers can complete short when URB_SHORT_NOT_OK is not set. Check that both the allocated URB buffer and completed packet contain the selected header before reading it. Malformed short reports are ignored and the interrupt URB is resubmitted through the existing retry path, preventing out-of-bounds and stale header-byte reads. KASAN report as below: KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0 RIP: 0010:kasan_check_range+0x67/0x1b0 Read of size 1 Call trace: dump_stack_lvl+0x66/0xa0 (?:?) print_report+0xce/0x630 (?:?) cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009) srso_alias_return_thunk+0x5/0xfbef5 (?:?) __virt_addr_valid+0x188/0x320 (?:?) kasan_report+0xe0/0x110 (?:?) __usb_hcd_giveback_urb+0x103/0x1d0 (?:?) __usb_hcd_giveback_urb+0xf3/0x1d0 (?:?) __usb_hcd_giveback_urb+0x112/0x1d0 (?:?) dummy_timer+0xaaa/0x19a0 (?:?) mark_held_locks+0x40/0x70 (?:?) _raw_spin_unlock_irqrestore+0x44/0x60 (?:?) lockdep_hardirqs_on_prepare+0xb7/0x1a0 (?:?) __hrtimer_run_queues+0x102/0x510 (?:?) hrtimer_run_softirq+0xd0/0x130 (?:?) handle_softirqs+0x155/0x650 (?:?) __irq_exit_rcu+0xc4/0x160 (?:?) irq_exit_rcu+0xe/0x20 (?:?) sysvec_apic_timer_interrupt+0x6c/0x80 (?:?) asm_sysvec_apic_timer_interrupt+0x1a/0x20 (?:?) Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from chara= cteristic size") Assisted-by: Codex:gpt-5.5 Signed-off-by: Zhang Cen --- drivers/usb/serial/cypress_m8.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m= 8.c index afff1a0f4298b..50c6abc69e756 100644 --- a/drivers/usb/serial/cypress_m8.c +++ b/drivers/usb/serial/cypress_m8.c @@ -1016,6 +1016,7 @@ static void cypress_read_int_callback(struct urb *urb) unsigned long flags; char tty_flag =3D TTY_NORMAL; int bytes =3D 0; + int header_size =3D 0; int result; int i =3D 0; int status =3D urb->status; @@ -1060,18 +1061,32 @@ static void cypress_read_int_callback(struct urb *u= rb) default: case packet_format_1: /* This is for the CY7C64013... */ + header_size =3D 2; + if (result < header_size || + urb->transfer_buffer_length < header_size) + break; priv->current_status =3D data[0] & 0xF8; bytes =3D data[1] + 2; i =3D 2; break; case packet_format_2: /* This is for the CY7C63743... */ + header_size =3D 1; + if (result < header_size || + urb->transfer_buffer_length < header_size) + break; priv->current_status =3D data[0] & 0xF8; bytes =3D (data[0] & 0x07) + 1; i =3D 1; break; } spin_unlock_irqrestore(&priv->lock, flags); + if (result < header_size || urb->transfer_buffer_length < header_size) { + dev_dbg(dev, + "%s - short packet header - received %d bytes but buffer has %d bytes\n= ", + __func__, result, urb->transfer_buffer_length); + goto continue_read; + } if (result < bytes) { dev_dbg(dev, "%s - wrong packet size - received %d bytes but packet said %d bytes\n", --=20 2.43.0