From 833740a2333c2e4db4e02e3d0ffba04e8718a5f3 Mon Sep 17 00:00:00 2001 From: Bryam Vargas Date: Thu, 18 Jun 2026 00:46:28 -0500 Subject: platform/chrome: sensorhub: Bound the EC-reported sensor number Each EC FIFO event carries an 8-bit sensor number (in->sensor_num). cros_ec_sensorhub_ring_handler() validates the FIFO event count, the per-read count and the ring bound, but not the sensor number, which cros_ec_sensor_ring_process_event() then uses unchecked to index sensorhub->batch_state[] - allocated with only sensorhub->sensor_num entries. A sensor number of sensor_num or larger is an out-of-bounds read and write of batch_state[]. Validate the sensor number in the ring handler, where each event is read from the EC, and drop a malformed event before it is used. Fixes: 145d59baff59 ("platform/chrome: cros_ec_sensorhub: Add FIFO support") Cc: stable@vger.kernel.org Signed-off-by: Bryam Vargas Link: https://lore.kernel.org/r/20260618-b4-disp-adb3f790-v3-1-3a164ed63cbd@proton.me Signed-off-by: Tzung-Bi Shih --- drivers/platform/chrome/cros_ec_sensorhub_ring.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'drivers') diff --git a/drivers/platform/chrome/cros_ec_sensorhub_ring.c b/drivers/platform/chrome/cros_ec_sensorhub_ring.c index a10579144c34..64e9615ed6f4 100644 --- a/drivers/platform/chrome/cros_ec_sensorhub_ring.c +++ b/drivers/platform/chrome/cros_ec_sensorhub_ring.c @@ -890,6 +890,14 @@ static void cros_ec_sensorhub_ring_handler(struct cros_ec_sensorhub *sensorhub) for (in = sensorhub->resp->fifo_read.data, j = 0; j < number_data; j++, in++) { + /* Skip event if sensor_num from EC is out of bounds. */ + if (in->sensor_num >= sensorhub->sensor_num) { + dev_warn_ratelimited(sensorhub->dev, + "Invalid sensor number %u from EC\n", + in->sensor_num); + continue; + } + if (cros_ec_sensor_ring_process_event( sensorhub, fifo_info, fifo_timestamp, -- cgit v1.2.3 From 200691f509fb77be78cd4b2d38b4e540a454bec3 Mon Sep 17 00:00:00 2001 From: "Uwe Kleine-König (The Capable Hub)" Date: Wed, 17 Jun 2026 12:04:13 +0200 Subject: platform/chrome: Drop unused assignment of platform_device_id driver data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The drivers explicitly set the .driver_data member of struct platform_device_id to zero without relying on that value. Drop these unused assignments. While touching these arrays use a single space in the list terminator consistently. Signed-off-by: Uwe Kleine-König (The Capable Hub) Link: https://lore.kernel.org/r/5b72bac661bdf1c874bea4b91ce3c2eccc84bba1.1781690554.git.u.kleine-koenig@baylibre.com Signed-off-by: Tzung-Bi Shih --- drivers/platform/chrome/cros_ec_chardev.c | 4 ++-- drivers/platform/chrome/cros_ec_debugfs.c | 4 ++-- drivers/platform/chrome/cros_ec_lightbar.c | 4 ++-- drivers/platform/chrome/cros_ec_sensorhub.c | 4 ++-- drivers/platform/chrome/cros_ec_sysfs.c | 4 ++-- drivers/platform/chrome/cros_ec_vbc.c | 4 ++-- drivers/platform/chrome/cros_kbd_led_backlight.c | 4 ++-- drivers/platform/chrome/cros_usbpd_logger.c | 4 ++-- drivers/platform/chrome/cros_usbpd_notify.c | 4 ++-- drivers/platform/chrome/wilco_ec/core.c | 4 ++-- drivers/platform/chrome/wilco_ec/debugfs.c | 4 ++-- drivers/platform/chrome/wilco_ec/telemetry.c | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) (limited to 'drivers') diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c index 47e03014dcbe..2565510ecaa7 100644 --- a/drivers/platform/chrome/cros_ec_chardev.c +++ b/drivers/platform/chrome/cros_ec_chardev.c @@ -485,8 +485,8 @@ static void cros_ec_chardev_remove(struct platform_device *pdev) } static const struct platform_device_id cros_ec_chardev_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_ec_chardev_id); diff --git a/drivers/platform/chrome/cros_ec_debugfs.c b/drivers/platform/chrome/cros_ec_debugfs.c index d10f9561990c..4b8ae51bfaa9 100644 --- a/drivers/platform/chrome/cros_ec_debugfs.c +++ b/drivers/platform/chrome/cros_ec_debugfs.c @@ -558,8 +558,8 @@ static SIMPLE_DEV_PM_OPS(cros_ec_debugfs_pm_ops, cros_ec_debugfs_suspend, cros_ec_debugfs_resume); static const struct platform_device_id cros_ec_debugfs_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_ec_debugfs_id); diff --git a/drivers/platform/chrome/cros_ec_lightbar.c b/drivers/platform/chrome/cros_ec_lightbar.c index f69f2f6de276..d7e9928e263d 100644 --- a/drivers/platform/chrome/cros_ec_lightbar.c +++ b/drivers/platform/chrome/cros_ec_lightbar.c @@ -684,8 +684,8 @@ static SIMPLE_DEV_PM_OPS(cros_ec_lightbar_pm_ops, cros_ec_lightbar_suspend, cros_ec_lightbar_resume); static const struct platform_device_id cros_ec_lightbar_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_ec_lightbar_id); diff --git a/drivers/platform/chrome/cros_ec_sensorhub.c b/drivers/platform/chrome/cros_ec_sensorhub.c index f938c3fc84e4..58eb28d6e118 100644 --- a/drivers/platform/chrome/cros_ec_sensorhub.c +++ b/drivers/platform/chrome/cros_ec_sensorhub.c @@ -268,8 +268,8 @@ static SIMPLE_DEV_PM_OPS(cros_ec_sensorhub_pm_ops, cros_ec_sensorhub_resume); static const struct platform_device_id cros_ec_sensorhub_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_ec_sensorhub_id); diff --git a/drivers/platform/chrome/cros_ec_sysfs.c b/drivers/platform/chrome/cros_ec_sysfs.c index 9d3767ab1548..46e8ac7f94af 100644 --- a/drivers/platform/chrome/cros_ec_sysfs.c +++ b/drivers/platform/chrome/cros_ec_sysfs.c @@ -421,8 +421,8 @@ static void cros_ec_sysfs_remove(struct platform_device *pd) } static const struct platform_device_id cros_ec_sysfs_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_ec_sysfs_id); diff --git a/drivers/platform/chrome/cros_ec_vbc.c b/drivers/platform/chrome/cros_ec_vbc.c index 5ee8adaa6564..9cb4631e1227 100644 --- a/drivers/platform/chrome/cros_ec_vbc.c +++ b/drivers/platform/chrome/cros_ec_vbc.c @@ -135,8 +135,8 @@ static void cros_ec_vbc_remove(struct platform_device *pd) } static const struct platform_device_id cros_ec_vbc_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_ec_vbc_id); diff --git a/drivers/platform/chrome/cros_kbd_led_backlight.c b/drivers/platform/chrome/cros_kbd_led_backlight.c index 80dc52833dc9..7f7483d58170 100644 --- a/drivers/platform/chrome/cros_kbd_led_backlight.c +++ b/drivers/platform/chrome/cros_kbd_led_backlight.c @@ -221,8 +221,8 @@ MODULE_DEVICE_TABLE(acpi, keyboard_led_acpi_match); #endif static const struct platform_device_id keyboard_led_id[] = { - { "cros-keyboard-leds", 0 }, - {} + { .name = "cros-keyboard-leds" }, + { } }; MODULE_DEVICE_TABLE(platform, keyboard_led_id); diff --git a/drivers/platform/chrome/cros_usbpd_logger.c b/drivers/platform/chrome/cros_usbpd_logger.c index d343e1ab6f08..54f04a43cba0 100644 --- a/drivers/platform/chrome/cros_usbpd_logger.c +++ b/drivers/platform/chrome/cros_usbpd_logger.c @@ -249,8 +249,8 @@ static SIMPLE_DEV_PM_OPS(cros_usbpd_logger_pm_ops, cros_usbpd_logger_suspend, cros_usbpd_logger_resume); static const struct platform_device_id cros_usbpd_logger_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_usbpd_logger_id); diff --git a/drivers/platform/chrome/cros_usbpd_notify.c b/drivers/platform/chrome/cros_usbpd_notify.c index c90174360004..bdf3b2ab17a7 100644 --- a/drivers/platform/chrome/cros_usbpd_notify.c +++ b/drivers/platform/chrome/cros_usbpd_notify.c @@ -233,8 +233,8 @@ static void cros_usbpd_notify_remove_plat(struct platform_device *pdev) } static const struct platform_device_id cros_usbpd_notify_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, cros_usbpd_notify_id); diff --git a/drivers/platform/chrome/wilco_ec/core.c b/drivers/platform/chrome/wilco_ec/core.c index 9f978e531e1f..0b13f4509091 100644 --- a/drivers/platform/chrome/wilco_ec/core.c +++ b/drivers/platform/chrome/wilco_ec/core.c @@ -152,8 +152,8 @@ static const struct acpi_device_id wilco_ec_acpi_device_ids[] = { MODULE_DEVICE_TABLE(acpi, wilco_ec_acpi_device_ids); static const struct platform_device_id wilco_ec_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, wilco_ec_id); diff --git a/drivers/platform/chrome/wilco_ec/debugfs.c b/drivers/platform/chrome/wilco_ec/debugfs.c index 0617292b5cd7..69f8ac4d64dd 100644 --- a/drivers/platform/chrome/wilco_ec/debugfs.c +++ b/drivers/platform/chrome/wilco_ec/debugfs.c @@ -266,8 +266,8 @@ static void wilco_ec_debugfs_remove(struct platform_device *pdev) } static const struct platform_device_id wilco_ec_debugfs_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, wilco_ec_debugfs_id); diff --git a/drivers/platform/chrome/wilco_ec/telemetry.c b/drivers/platform/chrome/wilco_ec/telemetry.c index cadb68fa0a40..ac4c5943da1f 100644 --- a/drivers/platform/chrome/wilco_ec/telemetry.c +++ b/drivers/platform/chrome/wilco_ec/telemetry.c @@ -410,8 +410,8 @@ static void telem_device_remove(struct platform_device *pdev) } static const struct platform_device_id telem_id[] = { - { DRV_NAME, 0 }, - {} + { .name = DRV_NAME }, + { } }; MODULE_DEVICE_TABLE(platform, telem_id); -- cgit v1.2.3 From 10a1e8c3539039c4c9de4783a683e8e01a3dee8d Mon Sep 17 00:00:00 2001 From: Chen-Yu Tsai Date: Thu, 25 Jun 2026 14:08:58 +0800 Subject: platform/chrome: of_hw_prober: Use dumb trackpad prober for Spherion The trackpad power supply on Spherion is the system common 3.3V power rail. This is always on as long as the main processor is running. Switch to the dumb trackpad prober since it does not need to manage the power rail. Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20260625060859.1020483-1-wenst@chromium.org Signed-off-by: Tzung-Bi Shih --- drivers/platform/chrome/chromeos_of_hw_prober.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/platform/chrome/chromeos_of_hw_prober.c b/drivers/platform/chrome/chromeos_of_hw_prober.c index f3cd612e5584..8562a0e89dc6 100644 --- a/drivers/platform/chrome/chromeos_of_hw_prober.c +++ b/drivers/platform/chrome/chromeos_of_hw_prober.c @@ -100,7 +100,7 @@ static const struct hw_prober_entry hw_prober_platforms[] = { }, { .compatible = "google,spherion", .prober = chromeos_i2c_component_prober, - .data = &chromeos_i2c_probe_hana_trackpad, + .data = &chromeos_i2c_probe_dumb_trackpad, }, { .compatible = "google,squirtle", .prober = chromeos_i2c_component_prober, -- cgit v1.2.3 From a0a8cd9fc9c48b95095bcec4b146f7a99486f58e Mon Sep 17 00:00:00 2001 From: Maoyi Xie Date: Thu, 25 Jun 2026 21:00:56 +0800 Subject: platform/chrome: cros_ec_typec: Reject out-of-bounds PD cap count cros_typec_register_partner_pdos() copies the partner PDOs from the EC TYPEC_STATUS response into the fixed caps_desc.pdo[PDO_MAX_OBJECTS] array. memcpy(caps_desc.pdo, resp->source_cap_pdos, sizeof(u32) * resp->source_cap_count); ... memcpy(caps_desc.pdo, resp->sink_cap_pdos, sizeof(u32) * resp->sink_cap_count); PDO_MAX_OBJECTS is 7. source_cap_count and sink_cap_count are u8 fields from the EC. The only check is that they are not both zero. If either is larger than 7, the memcpy writes past the end of the array on the stack. A count of 255 overflows it by about 1 KB. The EC source arrays are only seven entries wide. A larger count reads past them too. The ChromeOS EC firmware caps these counts today, so a compliant setup does not hit this. The kernel should still validate these values rather than trust them. Validate the counts in cros_typec_register_partner_pdos() next to the memcpy. Skip the PDO registration if either count is above PDO_MAX_OBJECTS. The rest of cros_typec_handle_status() still runs so events are handled and cleared. Fixes: 348a2e8c93d3 ("platform/chrome: cros_ec_typec: Register partner PDOs") Suggested-by: Andrei Kuchynski Co-developed-by: Kaixuan Li Signed-off-by: Kaixuan Li Signed-off-by: Maoyi Xie Reviewed-by: Benson Leung Reviewed-by: Andrei Kuchynski Link: https://lore.kernel.org/r/20260625130056.3378097-1-maoyixie.tju@gmail.com Signed-off-by: Tzung-Bi Shih --- drivers/platform/chrome/cros_ec_typec.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers') diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c index c0806c562bb9..50a68819ceb7 100644 --- a/drivers/platform/chrome/cros_ec_typec.c +++ b/drivers/platform/chrome/cros_ec_typec.c @@ -1119,6 +1119,12 @@ static void cros_typec_register_partner_pdos(struct cros_typec_data *typec, if (!resp->source_cap_count && !resp->sink_cap_count) return; + if (resp->source_cap_count > PDO_MAX_OBJECTS || + resp->sink_cap_count > PDO_MAX_OBJECTS) { + dev_warn(typec->dev, "Invalid PDO count from EC, port: %d\n", port_num); + return; + } + port->partner_pd = typec_partner_usb_power_delivery_register(port->partner, &desc); if (IS_ERR(port->partner_pd)) { dev_warn(typec->dev, "Failed to register partner PD device, port: %d\n", port_num); -- cgit v1.2.3 From d1ceb2b2324717fa30b44d56ef0c52813e239569 Mon Sep 17 00:00:00 2001 From: Tzung-Bi Shih Date: Thu, 2 Jul 2026 08:27:45 +0000 Subject: platform/chrome: sensorhub: Fix memory overread in ring handler `max_response` and `sensor_num` are read from different EC commands: - `max_response` is from cros_ec_get_proto_info(). ec_dev->max_response = info->max_response_packet_size - sizeof(struct ec_host_response); - `sensor_num` is from cros_ec_get_sensor_count(). sensor_num = cros_ec_get_sensor_count(ec); With a malfunctioning EC firmware, it is possible that the `msg->insize` (i.e., `fifo_info_length` in the context) could be clamped in cros_ec_cmd_xfer() because `msg->insize` is greater than `max_response`. int fifo_info_length = sizeof(struct ec_response_motion_sense_fifo_info) + sizeof(u16) * sensorhub->sensor_num; This means the number of read bytes could be less than expected. As a result, the subsequent memcpy() in cros_ec_sensorhub_ring_handler() overreads the `resp->fifo_info` buffer. Check the return value of cros_ec_cmd_xfer_status() and abort if the number of bytes read does not match the expected length. Fixes: 145d59baff59 ("platform/chrome: cros_ec_sensorhub: Add FIFO support") Reviewed-by: Tomasz Figa Link: https://lore.kernel.org/r/20260702082745.1014968-1-tzungbi@kernel.org Signed-off-by: Tzung-Bi Shih --- drivers/platform/chrome/cros_ec_sensorhub_ring.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/platform/chrome/cros_ec_sensorhub_ring.c b/drivers/platform/chrome/cros_ec_sensorhub_ring.c index 64e9615ed6f4..92941924c347 100644 --- a/drivers/platform/chrome/cros_ec_sensorhub_ring.c +++ b/drivers/platform/chrome/cros_ec_sensorhub_ring.c @@ -825,8 +825,15 @@ static void cros_ec_sensorhub_ring_handler(struct cros_ec_sensorhub *sensorhub) sensorhub->msg->outsize = 1; sensorhub->msg->insize = fifo_info_length; - if (cros_ec_cmd_xfer_status(ec->ec_dev, sensorhub->msg) < 0) + ret = cros_ec_cmd_xfer_status(ec->ec_dev, sensorhub->msg); + if (ret < 0) + goto error; + if (ret != fifo_info_length) { + dev_warn_ratelimited(sensorhub->dev, + "Mismatch read length: size %d - expected %d\n", + ret, fifo_info_length); goto error; + } memcpy(fifo_info, &sensorhub->resp->fifo_info, fifo_info_length); -- cgit v1.2.3