From: Greg Kroah-Hartman Date: Mon, 21 Jul 2025 11:32:28 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.1.147~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a5768096bd89456563e6da8abd2ac5cd64719ac6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch comedi-das16m1-fix-bit-shift-out-of-bounds.patch comedi-das6402-fix-bit-shift-out-of-bounds.patch comedi-fix-some-signed-shift-left-operations.patch comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch --- diff --git a/queue-5.4/comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch b/queue-5.4/comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..94eeec67de --- /dev/null +++ b/queue-5.4/comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,41 @@ +From 66acb1586737a22dd7b78abc63213b1bcaa100e4 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:46:22 +0100 +Subject: comedi: aio_iiro_16: Fix bit shift out of bounds + +From: Ian Abbott + +commit 66acb1586737a22dd7b78abc63213b1bcaa100e4 upstream. + +When checking for a supported IRQ number, the following test is used: + + if ((1 << it->options[1]) & 0xdcfc) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. Valid `it->options[1]` values that select the IRQ +will be in the range [1,15]. The value 0 explicitly disables the use of +interrupts. + +Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707134622.75403-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/aio_iiro_16.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/aio_iiro_16.c ++++ b/drivers/staging/comedi/drivers/aio_iiro_16.c +@@ -178,7 +178,8 @@ static int aio_iiro_16_attach(struct com + * Digital input change of state interrupts are optionally supported + * using IRQ 2-7, 10-12, 14, or 15. + */ +- if ((1 << it->options[1]) & 0xdcfc) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & 0xdcfc) { + ret = request_irq(it->options[1], aio_iiro_16_cos, 0, + dev->board_name, dev); + if (ret == 0) diff --git a/queue-5.4/comedi-das16m1-fix-bit-shift-out-of-bounds.patch b/queue-5.4/comedi-das16m1-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..8b4c9bf806 --- /dev/null +++ b/queue-5.4/comedi-das16m1-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,44 @@ +From ed93c6f68a3be06e4e0c331c6e751f462dee3932 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:09:08 +0100 +Subject: comedi: das16m1: Fix bit shift out of bounds + +From: Ian Abbott + +commit ed93c6f68a3be06e4e0c331c6e751f462dee3932 upstream. + +When checking for a supported IRQ number, the following test is used: + + /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ + if ((1 << it->options[1]) & 0xdcfc) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. + +Reported-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94 +Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()") +Tested-by: syzbot+c52293513298e0fd9a94@syzkaller.appspotmail.com +Suggested-by: "Enju, Kohei" +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707130908.70758-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/das16m1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/das16m1.c ++++ b/drivers/staging/comedi/drivers/das16m1.c +@@ -523,7 +523,8 @@ static int das16m1_attach(struct comedi_ + devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE; + + /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ +- if ((1 << it->options[1]) & 0xdcfc) { ++ if (it->options[1] >= 2 && it->options[1] <= 15 && ++ (1 << it->options[1]) & 0xdcfc) { + ret = request_irq(it->options[1], das16m1_interrupt, 0, + dev->board_name, dev); + if (ret == 0) diff --git a/queue-5.4/comedi-das6402-fix-bit-shift-out-of-bounds.patch b/queue-5.4/comedi-das6402-fix-bit-shift-out-of-bounds.patch new file mode 100644 index 0000000000..0894532c4e --- /dev/null +++ b/queue-5.4/comedi-das6402-fix-bit-shift-out-of-bounds.patch @@ -0,0 +1,42 @@ +From 70f2b28b5243df557f51c054c20058ae207baaac Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 14:57:37 +0100 +Subject: comedi: das6402: Fix bit shift out of bounds + +From: Ian Abbott + +commit 70f2b28b5243df557f51c054c20058ae207baaac upstream. + +When checking for a supported IRQ number, the following test is used: + + /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ + if ((1 << it->options[1]) & 0x8cec) { + +However, `it->options[i]` is an unchecked `int` value from userspace, so +the shift amount could be negative or out of bounds. Fix the test by +requiring `it->options[1]` to be within bounds before proceeding with +the original test. Valid `it->options[1]` values that select the IRQ +will be in the range [1,15]. The value 0 explicitly disables the use of +interrupts. + +Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707135737.77448-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/das6402.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/das6402.c ++++ b/drivers/staging/comedi/drivers/das6402.c +@@ -569,7 +569,8 @@ static int das6402_attach(struct comedi_ + das6402_reset(dev); + + /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ +- if ((1 << it->options[1]) & 0x8cec) { ++ if (it->options[1] > 0 && it->options[1] < 16 && ++ (1 << it->options[1]) & 0x8cec) { + ret = request_irq(it->options[1], das6402_interrupt, 0, + dev->board_name, dev); + if (ret == 0) { diff --git a/queue-5.4/comedi-fix-some-signed-shift-left-operations.patch b/queue-5.4/comedi-fix-some-signed-shift-left-operations.patch new file mode 100644 index 0000000000..17d4c14626 --- /dev/null +++ b/queue-5.4/comedi-fix-some-signed-shift-left-operations.patch @@ -0,0 +1,72 @@ +From ab705c8c35e18652abc6239c07cf3441f03e2cda Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 13:15:55 +0100 +Subject: comedi: Fix some signed shift left operations + +From: Ian Abbott + +commit ab705c8c35e18652abc6239c07cf3441f03e2cda upstream. + +Correct some left shifts of the signed integer constant 1 by some +unsigned number less than 32. Change the constant to 1U to avoid +shifting a 1 into the sign bit. + +The corrected functions are comedi_dio_insn_config(), +comedi_dio_update_state(), and __comedi_device_postconfig(). + +Fixes: e523c6c86232 ("staging: comedi: drivers: introduce comedi_dio_insn_config()") +Fixes: 05e60b13a36b ("staging: comedi: drivers: introduce comedi_dio_update_state()") +Fixes: 09567cb4373e ("staging: comedi: initialize subdevice s->io_bits in postconfig") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707121555.65424-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/staging/comedi/drivers.c ++++ b/drivers/staging/comedi/drivers.c +@@ -339,10 +339,10 @@ int comedi_dio_insn_config(struct comedi + unsigned int *data, + unsigned int mask) + { +- unsigned int chan_mask = 1 << CR_CHAN(insn->chanspec); ++ unsigned int chan = CR_CHAN(insn->chanspec); + +- if (!mask) +- mask = chan_mask; ++ if (!mask && chan < 32) ++ mask = 1U << chan; + + switch (data[0]) { + case INSN_CONFIG_DIO_INPUT: +@@ -382,7 +382,7 @@ EXPORT_SYMBOL_GPL(comedi_dio_insn_config + unsigned int comedi_dio_update_state(struct comedi_subdevice *s, + unsigned int *data) + { +- unsigned int chanmask = (s->n_chan < 32) ? ((1 << s->n_chan) - 1) ++ unsigned int chanmask = (s->n_chan < 32) ? ((1U << s->n_chan) - 1) + : 0xffffffff; + unsigned int mask = data[0] & chanmask; + unsigned int bits = data[1]; +@@ -625,8 +625,8 @@ static int insn_rw_emulate_bits(struct c + if (insn->insn == INSN_WRITE) { + if (!(s->subdev_flags & SDF_WRITABLE)) + return -EINVAL; +- _data[0] = 1 << (chan - base_chan); /* mask */ +- _data[1] = data[0] ? (1 << (chan - base_chan)) : 0; /* bits */ ++ _data[0] = 1U << (chan - base_chan); /* mask */ ++ _data[1] = data[0] ? (1U << (chan - base_chan)) : 0; /* bits */ + } + + ret = s->insn_bits(dev, s, &_insn, _data); +@@ -709,7 +709,7 @@ static int __comedi_device_postconfig(st + + if (s->type == COMEDI_SUBD_DO) { + if (s->n_chan < 32) +- s->io_bits = (1 << s->n_chan) - 1; ++ s->io_bits = (1U << s->n_chan) - 1; + else + s->io_bits = 0xffffffff; + } diff --git a/queue-5.4/comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch b/queue-5.4/comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch new file mode 100644 index 0000000000..408b22008f --- /dev/null +++ b/queue-5.4/comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch @@ -0,0 +1,59 @@ +From e9cb26291d009243a4478a7ffb37b3a9175bfce9 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 7 Jul 2025 16:33:54 +0100 +Subject: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() + +From: Ian Abbott + +commit e9cb26291d009243a4478a7ffb37b3a9175bfce9 upstream. + +For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" +subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and +`COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have +`insn_read` and `insn_write` handler functions, but to have an +`insn_bits` handler function for handling Comedi `INSN_BITS` +instructions. In that case, the subdevice's `insn_read` and/or +`insn_write` function handler pointers are set to point to the +`insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. + +For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the +supplied `data[0]` value is a valid copy from user memory. It will at +least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in +"comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are +allocated. However, if `insn->n` is 0 (which is allowable for +`INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain +uninitialized data, and certainly contains invalid data, possibly from a +different instruction in the array of instructions handled by +`do_insnlist_ioctl()`. This will result in an incorrect value being +written to the digital output channel (or to the digital input/output +channel if configured as an output), and may be reflected in the +internal saved state of the channel. + +Fix it by returning 0 early if `insn->n` is 0, before reaching the code +that accesses `data[0]`. Previously, the function always returned 1 on +success, but it is supposed to be the number of data samples actually +read or written up to `insn->n`, which is 0 in this case. + +Reported-by: syzbot+cb96ec476fb4914445c9@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9 +Fixes: ed9eccbe8970 ("Staging: add comedi core") +Cc: stable@vger.kernel.org # 5.13+ +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/20250707153355.82474-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/comedi/drivers.c ++++ b/drivers/staging/comedi/drivers.c +@@ -615,6 +615,9 @@ static int insn_rw_emulate_bits(struct c + unsigned int _data[2]; + int ret; + ++ if (insn->n == 0) ++ return 0; ++ + memset(_data, 0, sizeof(_data)); + memset(&_insn, 0, sizeof(_insn)); + _insn.insn = INSN_BITS; diff --git a/queue-5.4/series b/queue-5.4/series index 37d678ace0..28a3194793 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -23,3 +23,8 @@ iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch iio-adc-max1363-reorder-mode_list-entries.patch iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch comedi-pcl812-fix-bit-shift-out-of-bounds.patch +comedi-aio_iiro_16-fix-bit-shift-out-of-bounds.patch +comedi-das16m1-fix-bit-shift-out-of-bounds.patch +comedi-das6402-fix-bit-shift-out-of-bounds.patch +comedi-fix-some-signed-shift-left-operations.patch +comedi-fix-use-of-uninitialized-data-in-insn_rw_emulate_bits.patch