From: Greg Kroah-Hartman Date: Mon, 21 Jul 2025 11:33:02 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.147~62 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5da70ea8731c94ff57f4c75e3a3cd18f256aff36;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch comedi-das16m1-fix-bit-shift-out-of-bounds.patch comedi-das6402-fix-bit-shift-out-of-bounds.patch comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch comedi-fix-some-signed-shift-left-operations.patch comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch --- diff --git a/queue-6.1/comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch b/queue-6.1/comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..47ae00e68c --- /dev/null +++ b/queue-6.1/comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,42 @@ +From 66acb1586737a22dd7b78abc63213b1bcaa100e4 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:46:22 +0100 +Subject: comedi: aio_iiro_16: Fix bit shift out of bounds + +From: Ian Abbott + +commit 66acb1586737a22dd7b78abc63213b1bcaa100e4 upstream. + +When checking for a supported IRQ number, the following test is used: + + if ((1 << it->options[1]) & 0xdcfc) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. Valid `it->options[1]` values that select the IRQ +will be in the range [1,15]. The value 0 explicitly disables the use of +interrupts. + +Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707134622.75403-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/aio_iiro_16.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/aio_iiro_16.c ++++ b/drivers/comedi/drivers/aio_iiro_16.c +@@ -177,7 +177,8 @@ static int aio_iiro_16_attach(struct com + * Digital input change of state interrupts are optionally supported + * using IRQ 2-7, 10-12, 14, or 15. + */ +- if ((1 << it->options[1]) & 0xdcfc) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & 0xdcfc) { + ret = request_irq(it->options[1], aio_iiro_16_cos, 0, + dev->board_name, dev); + if (ret == 0) diff --git a/queue-6.1/comedi-das16m1-fix-bit-shift-out-of-bounds.patch b/queue-6.1/comedi-das16m1-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..aee9474bd9 --- /dev/null +++ b/queue-6.1/comedi-das16m1-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,44 @@ +From ed93c6f68a3be06e4e0c331c6e751f462dee3932 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:09:08 +0100 +Subject: comedi: das16m1: Fix bit shift out of bounds + +From: Ian Abbott + +commit ed93c6f68a3be06e4e0c331c6e751f462dee3932 upstream. + +When checking for a supported IRQ number, the following test is used: + + /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ + if ((1 << it->options[1]) & 0xdcfc) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. + +Reported-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94 +Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()") +Tested-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com +Suggested-by: "Enju, Kohei" +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707130908.70758-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/das16m1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/das16m1.c ++++ b/drivers/comedi/drivers/das16m1.c +@@ -522,7 +522,8 @@ static int das16m1_attach(struct comedi_ + devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE; + + /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ +- if ((1 << it->options[1]) & 0xdcfc) { ++ if (it->options[1] >= 2 && it->options[1] <= 15 && ++ (1 << it->options[1]) & 0xdcfc) { + ret = request_irq(it->options[1], das16m1_interrupt, 0, + dev->board_name, dev); + if (ret == 0) diff --git a/queue-6.1/comedi-das6402-fix-bit-shift-out-of-bounds.patch b/queue-6.1/comedi-das6402-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..0e0f916dc3 --- /dev/null +++ b/queue-6.1/comedi-das6402-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,42 @@ +From 70f2b28b5243df557f51c054c20058ae207baaac Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:57:37 +0100 +Subject: comedi: das6402: Fix bit shift out of bounds + +From: Ian Abbott + +commit 70f2b28b5243df557f51c054c20058ae207baaac upstream. + +When checking for a supported IRQ number, the following test is used: + + /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ + if ((1 << it->options[1]) & 0x8cec) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. Valid `it->options[1]` values that select the IRQ +will be in the range [1,15]. The value 0 explicitly disables the use of +interrupts. + +Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707135737.77448-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/das6402.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/comedi/drivers/das6402.c ++++ b/drivers/comedi/drivers/das6402.c +@@ -567,7 +567,8 @@ static int das6402_attach(struct comedi_ + das6402_reset(dev); + + /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ +- if ((1 << it->options[1]) & 0x8cec) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & 0x8cec) { + ret = request_irq(it->options[1], das6402_interrupt, 0, + dev->board_name, dev); + if (ret == 0) { diff --git a/queue-6.1/comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch b/queue-6.1/comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch new file mode 100644 index 0000000000..b546f81596 --- /dev/null +++ b/queue-6.1/comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch @@ -0,0 +1,75 @@ +From 08ae4b20f5e82101d77326ecab9089e110f224cc Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 4 Jul 2025 13:04:05 +0100 +Subject: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large + +From: Ian Abbott + +commit 08ae4b20f5e82101d77326ecab9089e110f224cc upstream. + +The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to +hold the array of `struct comedi_insn`, getting the length from the +`n_insns` member of the `struct comedi_insnlist` supplied by the user. +The allocation will fail with a WARNING and a stack dump if it is too +large. + +Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` +value is unreasonable. + +Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set +this to the same value as `MAX_SAMPLES` (65536), which is the maximum +allowed sum of the values of the member `n` in the array of `struct +comedi_insn`, and sensible comedi instructions will have an `n` of at +least 1. + +Reported-by: syzbot+d6995b62e5ac7d79557a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=d6995b62e5ac7d79557a +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Tested-by: Ian Abbott +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250704120405.83028-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/comedi_fops.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/comedi/comedi_fops.c ++++ b/drivers/comedi/comedi_fops.c +@@ -1584,6 +1584,16 @@ error: + return i; + } + ++#define MAX_INSNS MAX_SAMPLES ++static int check_insnlist_len(struct comedi_device *dev, unsigned int n_insns) ++{ ++ if (n_insns > MAX_INSNS) { ++ dev_dbg(dev->class_dev, "insnlist length too large\n"); ++ return -EINVAL; ++ } ++ return 0; ++} ++ + /* + * COMEDI_INSN ioctl + * synchronous instruction +@@ -2234,6 +2244,9 @@ static long comedi_unlocked_ioctl(struct + rc = -EFAULT; + break; + } ++ rc = check_insnlist_len(dev, insnlist.n_insns); ++ if (rc) ++ break; + insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL); + if (!insns) { + rc = -ENOMEM; +@@ -3085,6 +3098,9 @@ static int compat_insnlist(struct file * + if (copy_from_user(&insnlist32, compat_ptr(arg), sizeof(insnlist32))) + return -EFAULT; + ++ rc = check_insnlist_len(dev, insnlist32.n_insns); ++ if (rc) ++ return rc; + insns = kcalloc(insnlist32.n_insns, sizeof(*insns), GFP_KERNEL); + if (!insns) + return -ENOMEM; diff --git a/queue-6.1/comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch b/queue-6.1/comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch new file mode 100644 index 0000000000..d9908c6560 --- /dev/null +++ b/queue-6.1/comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch @@ -0,0 +1,77 @@ +From 46d8c744136ce2454aa4c35c138cc06817f92b8e Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 17:14:39 +0100 +Subject: comedi: Fix initialization of data for instructions that write to subdevice + +From: Ian Abbott + +commit 46d8c744136ce2454aa4c35c138cc06817f92b8e upstream. + +Some Comedi subdevice instruction handlers are known to access +instruction data elements beyond the first `insn->n` elements in some +cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions +allocate at least `MIN_SAMPLES` (16) data elements to deal with this, +but they do not initialize all of that. For Comedi instruction codes +that write to the subdevice, the first `insn->n` data elements are +copied from user-space, but the remaining elements are left +uninitialized. That could be a problem if the subdevice instruction +handler reads the uninitialized data. Ensure that the first +`MIN_SAMPLES` elements are initialized before calling these instruction +handlers, filling the uncopied elements with 0. For +`do_insnlist_ioctl()`, the same data buffer elements are used for +handling a list of instructions, so ensure the first `MIN_SAMPLES` +elements are initialized for each instruction that writes to the +subdevice. + +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707161439.88385-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/comedi_fops.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/comedi/comedi_fops.c ++++ b/drivers/comedi/comedi_fops.c +@@ -1551,21 +1551,27 @@ static int do_insnlist_ioctl(struct come + } + + for (i = 0; i < n_insns; ++i) { ++ unsigned int n = insns[i].n; ++ + if (insns[i].insn & INSN_MASK_WRITE) { + if (copy_from_user(data, insns[i].data, +- insns[i].n * sizeof(unsigned int))) { ++ n * sizeof(unsigned int))) { + dev_dbg(dev->class_dev, + "copy_from_user failed\n"); + ret = -EFAULT; + goto error; + } ++ if (n < MIN_SAMPLES) { ++ memset(&data[n], 0, (MIN_SAMPLES - n) * ++ sizeof(unsigned int)); ++ } + } + ret = parse_insn(dev, insns + i, data, file); + if (ret < 0) + goto error; + if (insns[i].insn & INSN_MASK_READ) { + if (copy_to_user(insns[i].data, data, +- insns[i].n * sizeof(unsigned int))) { ++ n * sizeof(unsigned int))) { + dev_dbg(dev->class_dev, + "copy_to_user failed\n"); + ret = -EFAULT; +@@ -1638,6 +1644,10 @@ static int do_insn_ioctl(struct comedi_d + ret = -EFAULT; + goto error; + } ++ if (insn->n < MIN_SAMPLES) { ++ memset(&data[insn->n], 0, ++ (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); ++ } + } + ret = parse_insn(dev, insn, data, file); + if (ret < 0) diff --git a/queue-6.1/comedi-fix-some-signed-shift-left-operations.patch b/queue-6.1/comedi-fix-some-signed-shift-left-operations.patch new file mode 100644 index 0000000000..b36782e92b --- /dev/null +++ b/queue-6.1/comedi-fix-some-signed-shift-left-operations.patch @@ -0,0 +1,73 @@ +From ab705c8c35e18652abc6239c07cf3441f03e2cda Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 13:15:55 +0100 +Subject: comedi: Fix some signed shift left operations + +From: Ian Abbott + +commit ab705c8c35e18652abc6239c07cf3441f03e2cda upstream. + +Correct some left shifts of the signed integer constant 1 by some +unsigned number less than 32. Change the constant to 1U to avoid +shifting a 1 into the sign bit. + +The corrected functions are comedi_dio_insn_config(), +comedi_dio_update_state(), and __comedi_device_postconfig(). + +Fixes: e523c6c86232 ("staging: comedi: drivers: introduce comedi_dio_insn_config()") +Fixes: 05e60b13a36b ("staging: comedi: drivers: introduce comedi_dio_update_state()") +Fixes: 09567cb4373e ("staging: comedi: initialize subdevice s->io_bits in postconfig") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707121555.65424-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/comedi/drivers.c ++++ b/drivers/comedi/drivers.c +@@ -338,10 +338,10 @@ int comedi_dio_insn_config(struct comedi + unsigned int *data, + unsigned int mask) + { +- unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec); ++ unsigned int chan = CR_CHAN(insn->chanspec); + +- if (!mask) +- mask = chan_mask; ++ if (!mask && chan < 32) ++ mask = 1U << chan; + + switch (data[0]) { + case INSN_CONFIG_DIO_INPUT: +@@ -381,7 +381,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config + unsigned int comedi_dio_update_state(struct comedi_subdevice *s, + unsigned int *data) + { +- unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1) ++ unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1) + : 0xffffffff; + unsigned int mask = data[0] & chanmask; + unsigned int bits = data[1]; +@@ -624,8 +624,8 @@ static int insn_rw_emulate_bits(struct c + if (insn->insn == INSN_WRITE) { + if (!(s->subdev_flags & SDF_WRITABLE)) + return -EINVAL; +- _data[0] = 1 << (chan - base_chan); /* mask */ +- _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */ ++ _data[0] = 1U << (chan - base_chan); /* mask */ ++ _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ + } + + ret = s->insn_bits(dev, s, &_insn, _data); +@@ -708,7 +708,7 @@ static int __comedi_device_postconfig(st + + if (s->type == COMEDI_SUBD_DO) { + if (s->n_chan < 32) +- s->io_bits = (1 << s->n_chan) - 1; ++ s->io_bits = (1U << s->n_chan) - 1; + else + s->io_bits = 0xffffffff; + } diff --git a/queue-6.1/comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch b/queue-6.1/comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch new file mode 100644 index 0000000000..d7b5932fe7 --- /dev/null +++ b/queue-6.1/comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch @@ -0,0 +1,59 @@ +From e9cb26291d009243a4478a7ffb37b3a9175bfce9 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 16:33:54 +0100 +Subject: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() + +From: Ian Abbott + +commit e9cb26291d009243a4478a7ffb37b3a9175bfce9 upstream. + +For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" +subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and +`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have +`insn_read` and `insn_write` handler functions, but to have an +`insn_bits` handler function for handling Comedi `INSN_BITS` +instructions. In that case, the subdevice's `insn_read` and/or +`insn_write` function handler pointers are set to point to the +`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. + +For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the +supplied `data[0]` value is a valid copy from user memory. It will at +least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in +"comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are +allocated. However, if `insn->n` is 0 (which is allowable for +`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain +uninitialized data, and certainly contains invalid data, possibly from a +different instruction in the array of instructions handled by +`do_insnlist_ioctl()`. This will result in an incorrect value being +written to the digital output channel (or to the digital input/output +channel if configured as an output), and may be reflected in the +internal saved state of the channel. + +Fix it by returning 0 early if `insn->n` is 0, before reaching the code +that accesses `data[0]`. Previously, the function always returned 1 on +success, but it is supposed to be the number of data samples actually +read or written up to `insn->n`, which is 0 in this case. + +Reported-by: syzbot+cb96ec476fb4914445c9@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9 +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707153355.82474-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/comedi/drivers.c ++++ b/drivers/comedi/drivers.c +@@ -614,6 +614,9 @@ static int insn_rw_emulate_bits(struct c + unsigned int _data[2]; + int ret; + ++ if (insn->n == 0) ++ return 0; ++ + memset(_data, 0, sizeof(_data)); + memset(&_insn, 0, sizeof(_insn)); + _insn.insn = INSN_BITS; diff --git a/queue-6.1/series b/queue-6.1/series index 5f5800507e..91ad2c234a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -32,3 +32,10 @@ iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch iio-adc-max1363-reorder-mode_list-entries.patch iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch comedi-pcl812-fix-bit-shift-out-of-bounds.patch +comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch +comedi-das16m1-fix-bit-shift-out-of-bounds.patch +comedi-das6402-fix-bit-shift-out-of-bounds.patch +comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch +comedi-fix-some-signed-shift-left-operations.patch +comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch +comedi-fix-initialization-of-data-for-instructions-that-write-to-subdevice.patch