> -----Original Message-----
> From: Aaron Ma <aaron.ma@xxxxxxxxxxxxx>
> Sent: Sunday, August 3, 2025 2:57 PM
> To: Xu, Even <even.xu@xxxxxxxxx>; Sun, Xinpeng <xinpeng.sun@xxxxxxxxx>;
> jikos@xxxxxxxxxx; bentiss@xxxxxxxxxx; linux-input@xxxxxxxxxxxxxxx; linux-
> kernel@xxxxxxxxxxxxxxx; Aaron, Ma <aaron.ma@xxxxxxxxxxxxx>
> Subject: [PATCH 1/2] HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB
> length
>
> The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a trailing byte,
> making the actual length is one more byte than the structs defined.
>
> It caused stack-out-of-bounds and kernel crash:
>
> kernel: BUG: KASAN: stack-out-of-bounds in
> quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0 [intel_quicki2c]
> kernel: Write of size 12 at addr ffff888106d1f900 by task kworker/u33:2/75
> kernel:
> kernel: CPU: 3 UID: 0 PID: 75 Comm: kworker/u33:2 Not tainted 6.16.0+ #3
> PREEMPT(voluntary)
> kernel: Workqueue: async async_run_entry_fn
> kernel: Call Trace:
> kernel: <TASK>
> kernel: dump_stack_lvl+0x76/0xa0
> kernel: print_report+0xd1/0x660
> kernel: ? __pfx__raw_spin_lock_irqsave+0x10/0x10
> kernel: ? __kasan_slab_free+0x5d/0x80
> kernel: ? kasan_addr_to_slab+0xd/0xb0
> kernel: kasan_report+0xe1/0x120
> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0
> [intel_quicki2c]
> kernel: ? quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0
> [intel_quicki2c]
> kernel: kasan_check_range+0x11c/0x200
> kernel: __asan_memcpy+0x3b/0x80
> kernel: quicki2c_acpi_get_dsd_property.constprop.0+0x111/0x1b0
> [intel_quicki2c]
> kernel: ? __pfx_quicki2c_acpi_get_dsd_property.constprop.0+0x10/0x10
> [intel_quicki2c]
> kernel: quicki2c_get_acpi_resources+0x237/0x730 [intel_quicki2c] [...]
> kernel: </TASK>
> kernel:
> kernel: The buggy address belongs to stack of task kworker/u33:2/75
> kernel: and is located at offset 48 in frame:
> kernel: quicki2c_get_acpi_resources+0x0/0x730 [intel_quicki2c]
> kernel:
> kernel: This frame has 3 objects:
> kernel: [32, 36) 'hid_desc_addr'
> kernel: [48, 59) 'i2c_param'
> kernel: [80, 224) 'i2c_config'
>
> ACPI DSD methods return:
>
> \_SB.PC00.THC0.ICRS Buffer 000000003fdc947b 001 Len 0C = 0A 00 80 1A 06
> 00 00 00 00 00 00 00
> \_SB.PC00.THC0.ISUB Buffer 00000000f2fcbdc4 001 Len 91 = 00 00 00 00 00
> 00 00 00 00 00 00 00
>
> Adding reserved padding to quicki2c_subip_acpi_parameter/config.
Good finding, thanks for the fix!
>
> Fixes: 5282e45ccbfa9 ("HID: intel-thc-hid: intel-quicki2c: Add THC QuickI2C ACPI
> interfaces")
> Signed-off-by: Aaron Ma <aaron.ma@xxxxxxxxxxxxx>
> ---
> drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h
> b/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h
> index 6ddb584bd6110..97085a6a7452d 100644
> --- a/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h
> +++ b/drivers/hid/intel-thc-hid/intel-quicki2c/quicki2c-dev.h
> @@ -71,6 +71,7 @@ struct quicki2c_subip_acpi_parameter {
> u16 device_address;
> u64 connection_speed;
> u8 addressing_mode;
> + u8 reserved;
> } __packed;
>
> /**
> @@ -120,6 +121,7 @@ struct quicki2c_subip_acpi_config {
> u64 HMTD;
> u64 HMRD;
> u64 HMSL;
> + u8 reserved;
> };
Reviewed-by: Even Xu <even.xu@xxxxxxxxx>
Tested-by: Even Xu <even.xu@xxxxxxxxx>
>
> struct device;
> --
> 2.43.0
