From c0998983d0002741aaa2e3068e75fba189ed754a Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 14 Jan 2026 13:49:47 -0600 Subject: [PATCH] ec/google/chromeec: Fix uninitialized buffer in cbi_get_uint32() Commit e59c5abd13e6 ("ec/google/chromeec: Add EC_GOOGLE_CHROMEEC_FW_CONFIG_FROM_UFSC") refactored cbi_get_uint32() to write directly to the caller's buffer instead of using a local variable. This caused uninitialized memory (containing garbage addresses) to be passed to the EC as the return buffer during CBI reads. In the case of google/zork, the call to google_chromeec_cbi_get_board_version() returned garbage data (e.g., 0xae6ccd05 vs 0x5) which caused incorrect code paths to be taken: - variant_override_gpio_table() selected wrong GPIO tables based on invalid board version comparisons - variant_touchscreen_update() skipped touchscreen GPIO configuration because variant_uses_v3_6_schematics() returned true for garbage values - variant_uses_codec_gpi() returned wrong value, preventing headphone jack interrupt setup These misconfigurations caused input devices (touchpad, touchscreen, trackpoint) to be non-functional, despite being detected by the OS. The fix restores the original behavior by using a local variable initialized to 0, ensuring a clean buffer is always passed to the EC. TEST=build/boot google/zork, verify board version is read correctly, all input devices functional under Linux/Windows. Change-Id: Ia7be0bcc588075ab5c994edc3d68e979cc01ac79 Signed-off-by: Matt DeVillier Reviewed-on: https://review.coreboot.org/c/coreboot/+/90761 Reviewed-by: Yu-Ping Wu Tested-by: build bot (Jenkins) --- src/ec/google/chromeec/ec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ec/google/chromeec/ec.c b/src/ec/google/chromeec/ec.c index f4da831006..ee04d4a669 100644 --- a/src/ec/google/chromeec/ec.c +++ b/src/ec/google/chromeec/ec.c @@ -841,7 +841,12 @@ static int cbi_read(void *buf, size_t bufsize, uint32_t tag, bool check_size) static int cbi_get_uint32(uint32_t *id, uint32_t tag) { - return cbi_read(id, sizeof(*id), tag, true); + uint32_t r = 0; + int rv = cbi_read(&r, sizeof(r), tag, true); + if (rv) + return rv; + *id = r; + return 0; } int google_chromeec_cbi_get_sku_id(uint32_t *id)