--- /dev/null
+From 66acb1586737a22dd7b78abc63213b1bcaa100e4 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 14:46:22 +0100
+Subject: comedi: aio_iiro_16: Fix bit shift out of bounds
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 66acb1586737a22dd7b78abc63213b1bcaa100e4 upstream.
+
+When checking for a supported IRQ number, the following test is used:
+
+ if ((1 << it->options[1]) & 0xdcfc) {
+
+However, `it->options[i]` is an unchecked `int` value from userspace, so
+the shift amount could be negative or out of bounds. Fix the test by
+requiring `it->options[1]` to be within bounds before proceeding with
+the original test. Valid `it->options[1]` values that select the IRQ
+will be in the range [1,15]. The value 0 explicitly disables the use of
+interrupts.
+
+Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707134622.75403-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/aio_iiro_16.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/aio_iiro_16.c
++++ b/drivers/comedi/drivers/aio_iiro_16.c
+@@ -177,7 +177,8 @@ static int aio_iiro_16_attach(struct com
+ * Digital input change of state interrupts are optionally supported
+ * using IRQ 2-7, 10-12, 14, or 15.
+ */
+- if ((1 << it->options[1]) & 0xdcfc) {
++ if (it->options[1] > 0 && it->options[1] < 16 &&
++ (1 << it->options[1]) & 0xdcfc) {
+ ret = request_irq(it->options[1], aio_iiro_16_cos, 0,
+ dev->board_name, dev);
+ if (ret == 0)
--- /dev/null
+From ed93c6f68a3be06e4e0c331c6e751f462dee3932 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 14:09:08 +0100
+Subject: comedi: das16m1: Fix bit shift out of bounds
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit ed93c6f68a3be06e4e0c331c6e751f462dee3932 upstream.
+
+When checking for a supported IRQ number, the following test is used:
+
+ /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */
+ if ((1 << it->options[1]) & 0xdcfc) {
+
+However, `it->options[i]` is an unchecked `int` value from userspace, so
+the shift amount could be negative or out of bounds. Fix the test by
+requiring `it->options[1]` to be within bounds before proceeding with
+the original test.
+
+Reported-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94
+Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()")
+Tested-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com
+Suggested-by: "Enju, Kohei" <enjuk@amazon.co.jp>
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707130908.70758-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/das16m1.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/das16m1.c
++++ b/drivers/comedi/drivers/das16m1.c
+@@ -522,7 +522,8 @@ static int das16m1_attach(struct comedi_
+ devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE;
+
+ /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */
+- if ((1 << it->options[1]) & 0xdcfc) {
++ if (it->options[1] >= 2 && it->options[1] <= 15 &&
++ (1 << it->options[1]) & 0xdcfc) {
+ ret = request_irq(it->options[1], das16m1_interrupt, 0,
+ dev->board_name, dev);
+ if (ret == 0)
--- /dev/null
+From 70f2b28b5243df557f51c054c20058ae207baaac Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 14:57:37 +0100
+Subject: comedi: das6402: Fix bit shift out of bounds
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 70f2b28b5243df557f51c054c20058ae207baaac upstream.
+
+When checking for a supported IRQ number, the following test is used:
+
+ /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */
+ if ((1 << it->options[1]) & 0x8cec) {
+
+However, `it->options[i]` is an unchecked `int` value from userspace, so
+the shift amount could be negative or out of bounds. Fix the test by
+requiring `it->options[1]` to be within bounds before proceeding with
+the original test. Valid `it->options[1]` values that select the IRQ
+will be in the range [1,15]. The value 0 explicitly disables the use of
+interrupts.
+
+Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707135737.77448-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/das6402.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/das6402.c
++++ b/drivers/comedi/drivers/das6402.c
+@@ -567,7 +567,8 @@ static int das6402_attach(struct comedi_
+ das6402_reset(dev);
+
+ /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */
+- if ((1 << it->options[1]) & 0x8cec) {
++ if (it->options[1] > 0 && it->options[1] < 16 &&
++ (1 << it->options[1]) & 0x8cec) {
+ ret = request_irq(it->options[1], das6402_interrupt, 0,
+ dev->board_name, dev);
+ if (ret == 0) {
--- /dev/null
+From 08ae4b20f5e82101d77326ecab9089e110f224cc Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Fri, 4 Jul 2025 13:04:05 +0100
+Subject: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 08ae4b20f5e82101d77326ecab9089e110f224cc upstream.
+
+The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to
+hold the array of `struct comedi_insn`, getting the length from the
+`n_insns` member of the `struct comedi_insnlist` supplied by the user.
+The allocation will fail with a WARNING and a stack dump if it is too
+large.
+
+Avoid that by failing with an `-EINVAL` error if the supplied `n_insns`
+value is unreasonable.
+
+Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set
+this to the same value as `MAX_SAMPLES` (65536), which is the maximum
+allowed sum of the values of the member `n` in the array of `struct
+comedi_insn`, and sensible comedi instructions will have an `n` of at
+least 1.
+
+Reported-by: syzbot+d6995b62e5ac7d79557a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d6995b62e5ac7d79557a
+Fixes: ed9eccbe8970 ("Staging: add comedi core")
+Tested-by: Ian Abbott <abbotti@mev.co.uk>
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250704120405.83028-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/comedi_fops.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/comedi/comedi_fops.c
++++ b/drivers/comedi/comedi_fops.c
+@@ -1584,6 +1584,16 @@ error:
+ return i;
+ }
+
++#define MAX_INSNS MAX_SAMPLES
++static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns)
++{
++ if (n_insns > MAX_INSNS) {
++ dev_dbg(dev->class_dev, "insnlist length too large\n");
++ return -EINVAL;
++ }
++ return 0;
++}
++
+ /*
+ * COMEDI_INSN ioctl
+ * synchronous instruction
+@@ -2234,6 +2244,9 @@ static long comedi_unlocked_ioctl(struct
+ rc = -EFAULT;
+ break;
+ }
++ rc = check_insnlist_len(dev, insnlist.n_insns);
++ if (rc)
++ break;
+ insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL);
+ if (!insns) {
+ rc = -ENOMEM;
+@@ -3085,6 +3098,9 @@ static int compat_insnlist(struct file *
+ if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32)))
+ return -EFAULT;
+
++ rc = check_insnlist_len(dev, insnlist32.n_insns);
++ if (rc)
++ return rc;
+ insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL);
+ if (!insns)
+ return -ENOMEM;
--- /dev/null
+From 46d8c744136ce2454aa4c35c138cc06817f92b8e Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 17:14:39 +0100
+Subject: comedi: Fix initialization of data for instructions that write to subdevice
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 46d8c744136ce2454aa4c35c138cc06817f92b8e upstream.
+
+Some Comedi subdevice instruction handlers are known to access
+instruction data elements beyond the first `insn->n` elements in some
+cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions
+allocate at least `MIN_SAMPLES` (16) data elements to deal with this,
+but they do not initialize all of that. For Comedi instruction codes
+that write to the subdevice, the first `insn->n` data elements are
+copied from user-space, but the remaining elements are left
+uninitialized. That could be a problem if the subdevice instruction
+handler reads the uninitialized data. Ensure that the first
+`MIN_SAMPLES` elements are initialized before calling these instruction
+handlers, filling the uncopied elements with 0. For
+`do_insnlist_ioctl()`, the same data buffer elements are used for
+handling a list of instructions, so ensure the first `MIN_SAMPLES`
+elements are initialized for each instruction that writes to the
+subdevice.
+
+Fixes: ed9eccbe8970 ("Staging: add comedi core")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707161439.88385-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/comedi_fops.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/comedi/comedi_fops.c
++++ b/drivers/comedi/comedi_fops.c
+@@ -1551,21 +1551,27 @@ static int do_insnlist_ioctl(struct come
+ }
+
+ for (i = 0; i < n_insns; ++i) {
++ unsigned int n = insns[i].n;
++
+ if (insns[i].insn & INSN_MASK_WRITE) {
+ if (copy_from_user(data, insns[i].data,
+- insns[i].n * sizeof(unsigned int))) {
++ n * sizeof(unsigned int))) {
+ dev_dbg(dev->class_dev,
+ "copy_from_user failed\n");
+ ret = -EFAULT;
+ goto error;
+ }
++ if (n < MIN_SAMPLES) {
++ memset(&data[n], 0, (MIN_SAMPLES - n) *
++ sizeof(unsigned int));
++ }
+ }
+ ret = parse_insn(dev, insns + i, data, file);
+ if (ret < 0)
+ goto error;
+ if (insns[i].insn & INSN_MASK_READ) {
+ if (copy_to_user(insns[i].data, data,
+- insns[i].n * sizeof(unsigned int))) {
++ n * sizeof(unsigned int))) {
+ dev_dbg(dev->class_dev,
+ "copy_to_user failed\n");
+ ret = -EFAULT;
+@@ -1638,6 +1644,10 @@ static int do_insn_ioctl(struct comedi_d
+ ret = -EFAULT;
+ goto error;
+ }
++ if (insn->n < MIN_SAMPLES) {
++ memset(&data[insn->n], 0,
++ (MIN_SAMPLES - insn->n) * sizeof(unsigned int));
++ }
+ }
+ ret = parse_insn(dev, insn, data, file);
+ if (ret < 0)
--- /dev/null
+From ab705c8c35e18652abc6239c07cf3441f03e2cda Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 13:15:55 +0100
+Subject: comedi: Fix some signed shift left operations
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit ab705c8c35e18652abc6239c07cf3441f03e2cda upstream.
+
+Correct some left shifts of the signed integer constant 1 by some
+unsigned number less than 32. Change the constant to 1U to avoid
+shifting a 1 into the sign bit.
+
+The corrected functions are comedi_dio_insn_config(),
+comedi_dio_update_state(), and __comedi_device_postconfig().
+
+Fixes: e523c6c86232 ("staging: comedi: drivers: introduce comedi_dio_insn_config()")
+Fixes: 05e60b13a36b ("staging: comedi: drivers: introduce comedi_dio_update_state()")
+Fixes: 09567cb4373e ("staging: comedi: initialize subdevice s->io_bits in postconfig")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707121555.65424-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/comedi/drivers.c
++++ b/drivers/comedi/drivers.c
+@@ -338,10 +338,10 @@ int comedi_dio_insn_config(struct comedi
+ unsigned int *data,
+ unsigned int mask)
+ {
+- unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec);
++ unsigned int chan = CR_CHAN(insn->chanspec);
+
+- if (!mask)
+- mask = chan_mask;
++ if (!mask && chan < 32)
++ mask = 1U << chan;
+
+ switch (data[0]) {
+ case INSN_CONFIG_DIO_INPUT:
+@@ -381,7 +381,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config
+ unsigned int comedi_dio_update_state(struct comedi_subdevice *s,
+ unsigned int *data)
+ {
+- unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1)
++ unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1)
+ : 0xffffffff;
+ unsigned int mask = data[0] & chanmask;
+ unsigned int bits = data[1];
+@@ -624,8 +624,8 @@ static int insn_rw_emulate_bits(struct c
+ if (insn->insn == INSN_WRITE) {
+ if (!(s->subdev_flags & SDF_WRITABLE))
+ return -EINVAL;
+- _data[0] = 1 << (chan - base_chan); /* mask */
+- _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */
++ _data[0] = 1U << (chan - base_chan); /* mask */
++ _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */
+ }
+
+ ret = s->insn_bits(dev, s, &_insn, _data);
+@@ -708,7 +708,7 @@ static int __comedi_device_postconfig(st
+
+ if (s->type == COMEDI_SUBD_DO) {
+ if (s->n_chan < 32)
+- s->io_bits = (1 << s->n_chan) - 1;
++ s->io_bits = (1U << s->n_chan) - 1;
+ else
+ s->io_bits = 0xffffffff;
+ }
--- /dev/null
+From e9cb26291d009243a4478a7ffb37b3a9175bfce9 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 16:33:54 +0100
+Subject: comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit e9cb26291d009243a4478a7ffb37b3a9175bfce9 upstream.
+
+For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital"
+subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and
+`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have
+`insn_read` and `insn_write` handler functions, but to have an
+`insn_bits` handler function for handling Comedi `INSN_BITS`
+instructions. In that case, the subdevice's `insn_read` and/or
+`insn_write` function handler pointers are set to point to the
+`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`.
+
+For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the
+supplied `data[0]` value is a valid copy from user memory. It will at
+least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in
+"comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are
+allocated. However, if `insn->n` is 0 (which is allowable for
+`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain
+uninitialized data, and certainly contains invalid data, possibly from a
+different instruction in the array of instructions handled by
+`do_insnlist_ioctl()`. This will result in an incorrect value being
+written to the digital output channel (or to the digital input/output
+channel if configured as an output), and may be reflected in the
+internal saved state of the channel.
+
+Fix it by returning 0 early if `insn->n` is 0, before reaching the code
+that accesses `data[0]`. Previously, the function always returned 1 on
+success, but it is supposed to be the number of data samples actually
+read or written up to `insn->n`, which is 0 in this case.
+
+Reported-by: syzbot+cb96ec476fb4914445c9@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9
+Fixes: ed9eccbe8970 ("Staging: add comedi core")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707153355.82474-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/comedi/drivers.c
++++ b/drivers/comedi/drivers.c
+@@ -614,6 +614,9 @@ static int insn_rw_emulate_bits(struct c
+ unsigned int _data[2];
+ int ret;
+
++ if (insn->n == 0)
++ return 0;
++
+ memset(_data, 0, sizeof(_data));
+ memset(&_insn, 0, sizeof(_insn));
+ _insn.insn = INSN_BITS;
iio-adc-max1363-reorder-mode_list-entries.patch
iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch
comedi-pcl812-fix-bit-shift-out-of-bounds.patch
+comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch
+comedi-das16m1-fix-bit-shift-out-of-bounds.patch
+comedi-das6402-fix-bit-shift-out-of-bounds.patch
+comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch
+comedi-fix-some-signed-shift-left-operations.patch
+comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch
+comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
