From nobody Sun May 24 20:33:28 2026 Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D1FF386441 for ; Fri, 22 May 2026 14:54:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779461692; cv=none; b=gcmXxHfAU3ZsEqZBb8FM0CX6Kkx8pM2vF2zmBHq84APNNQUly+mOquP3NTEdRR86h+LofL4ur0SH0N/OZyLVTYHfZATaz8cpJ3EkNyGj9UNiiS0M1K35Ras8cdCo3dmeBhQK5aTxefdfP16wLnKS93KdiJLEB4V0Ud+u8G04pmQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779461692; c=relaxed/simple; bh=5ORvQ4Ljxuc0AAPzO1bFzRwDWeXjmg28dpHZodvCjaE=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=oVWhH2DPeYUuSUrINTnoHUa/zh0YZGlsNqMvaOD8wYEYsqr7fNjSwZY0/WBPtmxI8tSJgs9Z5nvW4A7KDf5fEZd4Z7xOMoqIfYcHhuzhab64ancgQ3e53ryIqVkBrIEUWJQBMEPkfjfuMyN4TiUqSzPr209IWdnFh6Bg62Hp3Io= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cJQcKVef; arc=none smtp.client-ip=209.85.214.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cJQcKVef" Received: by mail-pl1-f193.google.com with SMTP id d9443c01a7336-2be1dd4af34so59281285ad.1 for ; Fri, 22 May 2026 07:54:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779461690; x=1780066490; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=vGx1H6sqJFRxmUcSTd3T7v7p1m8D3Mdv113iiWsjIvw=; b=cJQcKVefd6aWnQjGOE6XdA34ACvYV4E4JEioXFL+QQbQQZki7cfNMVm9EPAB0/vp1c Hcta5hjbPJuHhIJlRrDkTAGrdAA4YRM9d1/7MaRtaiyRDnUNYgfxx1lTQPC+/RmH7/fn PbHjDgXUQFMEyewiKUI5X8F2xDvJl9hZ36deQ2qogSAc+rnWQ6S7q8lsmIbhjnkfcqVM jyVup5Wymo1BurNE5sYlzvUH73z5srDJF1AOwG3Wom3j2tujfCPiPp/IJgpQTaYXG91Z n15Lk9Xr/Ks2/QPbYFMPYSjX82bszwSjQgdfxJ/BocOMuMhjdb0cspm6oiwZC31qlAvq j1Gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779461690; x=1780066490; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=vGx1H6sqJFRxmUcSTd3T7v7p1m8D3Mdv113iiWsjIvw=; b=ILY8ZNet1BFtPdZj/fXjbp8I3dsSxKcEvXZgUtvxDiox2D52SwLATnDBdlMX+Hy8+s rfZU8aCDFW+BtLlfDdp5g9PUvwWRd+cw4nyGeRUvZ1hEYqbC9vDjuwH5Khu6IWh/6nR9 OiOiK1XkvQaQEpG/QmHMFeJI4A3cPDkRSBaS1pmQSop5VZPP5KzOJAj6x9T6/K2yhVsB mzzJ2LctBc/pOaV3960zJyolR3F9+uuQJY6ddHXFBBgBnCCLXUhxJSxh0W7XCDyU0zsd daY1fIF0vXCs8LnKDj1aIeyevLatcJNQgUOT9LuHDPJeyCsF3xYTZ4NICMJFKYYmuI/s CYYw== X-Forwarded-Encrypted: i=1; AFNElJ+DKdkAaIvqqFwTHD7xSx+JG/5rSXrQeOQaIFGOupuQhdshtomhTxvO1JbgmNd4zCtw56TBEv9sWOsNiYg=@vger.kernel.org X-Gm-Message-State: AOJu0YwsG70EOc6sozR+zIvMz9nYRTg3E5A36aXNPJFU55j2pix6NW6N 4KL+PCwHsg9WvqkmMIsF2Uxs5h7Df/pNGEYTCETbY0ChqB8jDbULUsh8 X-Gm-Gg: Acq92OH33dvWoU6D0eCh2J3XiCwML2hP7NIJr8TCPZX1IZ31oY7BBPiBAobvvNyIj5H ElSPMVi69XrmzqWg/eXTlD5XF9sw/WvZeJdq8FVMe/Uz4jxYThrXbPg8E5M9bvvQt93YoczC+zR rMM08scg7/wMUjY7bwC2YX4hZkmRHj7G7CUs2bKv+KLDZ5Bm8KHLqvSBM5t1/VGl1VpUugPwzAr znzO9OXN2vjMdXaYoX+JdBcN7ps8yDzcryaGPBukyHFCUWo9VHQbM5BHKFaebiAiHUMbPL49cCJ Uo88BhiCpvCfcBwmcsNxAsH2YSwpQ5FclwdyUd7dKXJdOirWZgmenH4DGwZIGAl1nvlAlB42avv KMCD5dg4sTB4enUQCFvu0YeHjDnOeG4Tcm2P2MSERmEasvJkspzNZG7Co7VkrIm8hE9GZovlAOA EL1FC1xfhUzModmLuDPbU3d8BOHUl+Zug= X-Received: by 2002:a17:903:3c63:b0:2ba:85:5827 with SMTP id d9443c01a7336-2beb05ff545mr53402765ad.26.1779461689768; Fri, 22 May 2026 07:54:49 -0700 (PDT) Received: from localhost ([111.228.63.84]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb56958d3sm17634645ad.12.2026.05.22.07.54.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 May 2026 07:54:49 -0700 (PDT) From: Zhang Cen To: Johan Hovold , Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, zerocling0077@gmail.com, 2045gemini@gmail.com, Zhang Cen Subject: [PATCH v2] USB: serial: cypress_m8: validate interrupt packet headers Date: Fri, 22 May 2026 22:54:42 +0800 Message-Id: <20260522145442.2868601-1-rollkingzzc@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" cypress_read_int_callback() parses the interrupt-in buffer according to the selected Cypress packet format. Format 1 has a two-byte status/count header and format 2 has a one-byte combined status/count header. The usb-serial core sizes the interrupt-in buffer from the endpoint descriptor's wMaxPacketSize, and successful interrupt transfers can complete short when URB_SHORT_NOT_OK is not set. Check that the completed packet contains the selected header before reading it. Malformed short reports are ignored and the interrupt URB is resubmitted through the existing retry path, preventing out-of-bounds header-byte reads. KASAN report as below: KASAN slab-out-of-bounds in cypress_read_int_callback+0x240/0x7f0 Read of size 1 Call trace: cypress_read_int_callback() (drivers/usb/serial/cypress_m8.c:1009) __usb_hcd_giveback_urb() dummy_timer() Fixes: 3416eaa1f8f8 ("USB: cypress_m8: Packet format is separate from chara= cteristic size") Assisted-by: Codex:gpt-5.5 Signed-off-by: Zhang Cen --- v2: Check only urb->actual_length before reading the packet-format header. Reuse the existing i header-length variable instead of adding a new one. Shorten the KASAN trace in the commit message. drivers/usb/serial/cypress_m8.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m= 8.c index afff1a0f4298b..49c0f3e379bd0 100644 --- a/drivers/usb/serial/cypress_m8.c +++ b/drivers/usb/serial/cypress_m8.c @@ -1060,18 +1060,27 @@ static void cypress_read_int_callback(struct urb *u= rb) default: case packet_format_1: /* This is for the CY7C64013... */ - priv->current_status =3D data[0] & 0xF8; - bytes =3D data[1] + 2; i =3D 2; + if (result < i) + break; + priv->current_status =3D data[0] & 0xF8; + bytes =3D data[1] + i; break; case packet_format_2: /* This is for the CY7C63743... */ + i =3D 1; + if (result < i) + break; priv->current_status =3D data[0] & 0xF8; bytes =3D (data[0] & 0x07) + 1; - i =3D 1; break; } spin_unlock_irqrestore(&priv->lock, flags); + if (result < i) { + dev_dbg(dev, "%s - short packet received: %d bytes\n", + __func__, result); + goto continue_read; + } if (result < bytes) { dev_dbg(dev, "%s - wrong packet size - received %d bytes but packet said %d bytes\n", --=20 2.43.0