6.1-stable patches

added patches:
	hid-core-harden-s32ton-against-conversion-to-0-bits.patch

diff --git a/queue-6.1/hid-core-harden-s32ton-against-conversion-to-0-bits.patch b/queue-6.1/hid-core-harden-s32ton-against-conversion-to-0-bits.patch
new file mode 100644 (file)
index 0000000..c8258cd
--- /dev/null
+++ b/queue-6.1/hid-core-harden-s32ton-against-conversion-to-0-bits.patch
@@ -0,0 +1,55 @@
+From stable+bounces-198191-greg=kroah.com@vger.kernel.org Wed Dec  3 12:35:57 2025
+From: jetlan9@163.com
+Date: Wed,  3 Dec 2025 11:24:50 +0000
+Subject: HID: core: Harden s32ton() against conversion to 0 bits
+To: stable@vger.kernel.org
+Cc: Alan Stern <stern@rowland.harvard.edu>, syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com, Benjamin Tissoires <bentiss@kernel.org>, Wenshan Lan <jetlan9@163.com>
+Message-ID: <20251203112450.4314-1-jetlan9@163.com>
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+[ Upstream commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd ]
+
+Testing by the syzbot fuzzer showed that the HID core gets a
+shift-out-of-bounds exception when it tries to convert a 32-bit
+quantity to a 0-bit quantity.  Ideally this should never occur, but
+there are buggy devices and some might have a report field with size
+set to zero; we shouldn't reject the report or the device just because
+of that.
+
+Instead, harden the s32ton() routine so that it returns a reasonable
+result instead of crashing when it is called with the number of bits
+set to 0 -- the same as what snto32() does.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/
+Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
+Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+[ s32ton() was moved by c653ffc28340 ("HID: stop exporting hid_snto32()").
+  Minor context change fixed. ]
+Signed-off-by: Wenshan Lan <jetlan9@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1354,7 +1354,12 @@ EXPORT_SYMBOL_GPL(hid_snto32);
+ 
+ static u32 s32ton(__s32 value, unsigned n)
+ {
+-      s32 a = value >> (n - 1);
++      s32 a;
++      if (!value || !n)
++              return 0;
++
++      a = value >> (n - 1);
++
+       if (a && a != -1)
+               return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1;
+       return value & ((1 << n) - 1);

diff --git a/queue-6.1/series b/queue-6.1/series
index 2975c8f79fc294f685c4f23089585c882aac1f42..3d8a9d2e07b1afea0292a2fa34356d97f2c34f86 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -565,3 +565,4 @@ usb-udc-add-trace-event-for-usb_gadget_set_state.patch
 usb-gadget-udc-fix-use-after-free-in-usb_gadget_state_work.patch
 scsi-pm80xx-set-phy-enable_completion-only-when-we.patch
 i2c-xgene-slimpro-migrate-to-use-generic-pcc-shmem-related-macros.patch
+hid-core-harden-s32ton-against-conversion-to-0-bits.patch