+++ /dev/null
-From dba101d1996094f95b55756577c12d387d51f62a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 26 Apr 2026 01:26:43 +0000
-Subject: bpf: Free reuseport cBPF prog after RCU grace period.
-
-From: Kuniyuki Iwashima <kuniyu@google.com>
-
-[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ]
-
-Eulgyu Kim reported the splat below with a repro. [0]
-
-The repro sets up a UDP reuseport group with a cBPF prog and
-replaces it with a new one while another thread is sending
-a UDP packet to the group.
-
-The reuseport prog is freed by sk_reuseport_prog_free().
-bpf_prog_put() is called for "e"BPF prog to destruct through
-multiple stages while cBPF prog is freed immediately by
-bpf_release_orig_filter() and bpf_prog_free().
-
-If a reuseport prog is detached from the setsockopt() path
-(reuseport_attach_prog() or reuseport_detach_prog()),
-sk_reuseport_prog_free() is called without waiting for RCU
-readers to complete, resulting in various bugs.
-
-Let's defer freeing the reuseport cBPF prog after one RCU
-grace period.
-
-Note "e"BPF prog is safe as is unless the fast path starts
-to touch fields destroyed in bpf_prog_put_deferred() and
-__bpf_prog_put_noref().
-
-[0]:
-BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
-Read of size 4 at addr ffffc9000051e004 by task slowme/10208
-CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
-Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
-Call Trace:
- <IRQ>
- dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
- print_address_description mm/kasan/report.c:378 [inline]
- print_report+0xca/0x240 mm/kasan/report.c:482
- kasan_report+0x118/0x150 mm/kasan/report.c:595
- reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
- udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
- __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
- __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
- __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
- ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
- ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
- NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
- NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
- __netif_receive_skb_one_core net/core/dev.c:6181 [inline]
- __netif_receive_skb net/core/dev.c:6294 [inline]
- process_backlog+0xaa4/0x1960 net/core/dev.c:6645
- __napi_poll+0xae/0x340 net/core/dev.c:7709
- napi_poll net/core/dev.c:7772 [inline]
- net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
- handle_softirqs+0x22b/0x870 kernel/softirq.c:622
- do_softirq+0x76/0xd0 kernel/softirq.c:523
- </IRQ>
- <TASK>
- __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
- local_bh_enable include/linux/bottom_half.h:33 [inline]
- rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
- __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
- neigh_output include/net/neighbour.h:556 [inline]
- ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
- NF_HOOK_COND include/linux/netfilter.h:307 [inline]
- ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
- ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
- udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
- udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
- sock_sendmsg_nosec net/socket.c:727 [inline]
- __sock_sendmsg net/socket.c:742 [inline]
- __sys_sendto+0x554/0x680 net/socket.c:2206
- __do_sys_sendto net/socket.c:2213 [inline]
- __se_sys_sendto net/socket.c:2209 [inline]
- __x64_sys_sendto+0xde/0x100 net/socket.c:2209
- do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
- do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
- entry_SYSCALL_64_after_hwframe+0x77/0x7f
-RIP: 0033:0x415a2d
-Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
-RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
-RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
-RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
-RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
-R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
-R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
- </TASK>
-
-Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
-Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
-Reported-by: Taeyang Lee <0wn@theori.io>
-Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/core/filter.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/net/core/filter.c b/net/core/filter.c
-index 5fbce37db28323..27550e8b05a655 100644
---- a/net/core/filter.c
-+++ b/net/core/filter.c
-@@ -1640,15 +1640,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
- return err;
- }
-
-+static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
-+{
-+ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
-+ struct bpf_prog *prog = aux->prog;
-+
-+ bpf_release_orig_filter(prog);
-+ bpf_prog_free(prog);
-+}
-+
- void sk_reuseport_prog_free(struct bpf_prog *prog)
- {
- if (!prog)
- return;
-
-- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
-- bpf_prog_put(prog);
-+ if (bpf_prog_was_classic(prog))
-+ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
- else
-- bpf_prog_destroy(prog);
-+ bpf_prog_put(prog);
- }
-
- struct bpf_scratchpad {
---
-2.53.0
-
+++ /dev/null
-From ed74ef50ca68bf8f00d4a284a48400cfd376ec85 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 5 Mar 2022 04:16:42 +0530
-Subject: compiler-clang.h: Add __diag infrastructure for clang
-
-From: Nathan Chancellor <nathan@kernel.org>
-
-commit f014a00bbeb09cea16017b82448d32a468a6b96f upstream.
-
-Add __diag macros similar to those in compiler-gcc.h, so that warnings
-that need to be adjusted for specific cases but not globally can be
-ignored when building with clang.
-
-Signed-off-by: Nathan Chancellor <nathan@kernel.org>
-Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Link: https://lore.kernel.org/bpf/20220304224645.3677453-6-memxor@gmail.com
-
-[ Kartikeya: wrote commit message ]
-
-Signed-off-by: Nathan Chancellor <nathan@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/compiler-clang.h | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
-index d9376e327d665f..fae3775d02b516 100644
---- a/include/linux/compiler-clang.h
-+++ b/include/linux/compiler-clang.h
-@@ -126,3 +126,25 @@
- #if __has_feature(shadow_call_stack)
- # define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))
- #endif
-+
-+/*
-+ * Turn individual warnings and errors on and off locally, depending
-+ * on version.
-+ */
-+#define __diag_clang(version, severity, s) \
-+ __diag_clang_ ## version(__diag_clang_ ## severity s)
-+
-+/* Severity used in pragma directives */
-+#define __diag_clang_ignore ignored
-+#define __diag_clang_warn warning
-+#define __diag_clang_error error
-+
-+#define __diag_str1(s) #s
-+#define __diag_str(s) __diag_str1(s)
-+#define __diag(s) _Pragma(__diag_str(clang diagnostic s))
-+
-+#if CONFIG_CLANG_VERSION >= 110000
-+#define __diag_clang_11(s) __diag(s)
-+#else
-+#define __diag_clang_11(s)
-+#endif
---
-2.53.0
-
+++ /dev/null
-From e63d213f19a7f0c5ad532a66da7a82c625c3867f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 16 May 2026 04:34:14 +0900
-Subject: Disable -Wattribute-alias for clang-23 and newer
-
-From: Nathan Chancellor <nathan@kernel.org>
-
-commit 175db11786bde9061db526bf1ac5107d915f5163 upstream.
-
-Clang recently added support for -Wattribute-alias [1], which results in
-the same warnings that necessitated commit bee20031772a ("disable
--Wattribute-alias warning for SYSCALL_DEFINEx()") for GCC.
-
- kernel/time/itimer.c:325:1: error: alias and aliasee have different types 'long (unsigned int)' and 'long (typeof (__builtin_choose_expr((__builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0LL)) || __builtin_types_compatible_p(typeof ((unsigned int)0), typeof (0ULL))), 0LL, 0L)))' (aka 'long (long)') [-Werror,-Wattribute-alias]
- 325 | SYSCALL_DEFINE1(alarm, unsigned int, seconds)
- | ^
- include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
- 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
- | ^
- include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
- 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
- | ^
- include/linux/syscalls.h:251:18: note: expanded from macro '__SYSCALL_DEFINEx'
- 251 | __attribute__((alias(__stringify(__se_sys##name)))); \
- | ^
- kernel/time/itimer.c:325:1: note: aliasee is declared here
- include/linux/syscalls.h:225:36: note: expanded from macro 'SYSCALL_DEFINE1'
- 225 | #define SYSCALL_DEFINE1(name, ...) SYSCALL_DEFINEx(1, _##name, __VA_ARGS__)
- | ^
- include/linux/syscalls.h:236:2: note: expanded from macro 'SYSCALL_DEFINEx'
- 236 | __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
- | ^
- include/linux/syscalls.h:255:18: note: expanded from macro '__SYSCALL_DEFINEx'
- 255 | asmlinkage long __se_sys##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
- | ^
- <scratch space>:16:1: note: expanded from here
- 16 | __se_sys_alarm
- | ^
-
-Disable the warnings in the same way for clang-23 and newer. Disable the
-warning about unknown warning options to avoid breaking the build for
-versions of clang-23 that do not have -Wattribute-alias, such as ones
-deployed by vendors like Android or CI systems or when bisecting LLVM
-between llvmorg-23-init and release/23.x.
-
-Cc: stable@vger.kernel.org
-Closes: https://github.com/ClangBuiltLinux/linux/issues/2163
-Link: https://github.com/llvm/llvm-project/commit/40da6920a0d71d49dfa2392b09153600b0759f5e [1]
-Link: https://patch.msgid.link/20260515-syscall-disable-attribute-alias-for-clang-v1-1-9a9d95d41df6@kernel.org
-[nathan: Drop arch/riscv hunk in older trees and address conflicts]
-Signed-off-by: Nathan Chancellor <nathan@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/compat.h | 4 ++++
- include/linux/compiler-clang.h | 6 ++++++
- include/linux/compiler_types.h | 4 ++++
- include/linux/syscalls.h | 4 ++++
- 4 files changed, 18 insertions(+)
-
-diff --git a/include/linux/compat.h b/include/linux/compat.h
-index 8dffffe846ce54..93c9bbec96acba 100644
---- a/include/linux/compat.h
-+++ b/include/linux/compat.h
-@@ -75,6 +75,10 @@
- __diag_push(); \
- __diag_ignore(GCC, 8, "-Wattribute-alias", \
- "Type aliasing is used to sanitize syscall arguments");\
-+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
-+ "Avoid breaking versions without -Wattribute-alias"); \
-+ __diag_ignore(clang, 23, "-Wattribute-alias", \
-+ "Type aliasing is used to sanitize syscall arguments"); \
- asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)); \
- asmlinkage long compat_sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
- __attribute__((alias(__stringify(__se_compat_sys##name)))); \
-diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
-index fae3775d02b516..a8953f9c766bcf 100644
---- a/include/linux/compiler-clang.h
-+++ b/include/linux/compiler-clang.h
-@@ -148,3 +148,9 @@
- #else
- #define __diag_clang_11(s)
- #endif
-+
-+#if CONFIG_CLANG_VERSION >= 230000
-+#define __diag_clang_23(s) __diag(s)
-+#else
-+#define __diag_clang_23(s)
-+#endif
-diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
-index 9cecd02c1280a9..88cc4457297d22 100644
---- a/include/linux/compiler_types.h
-+++ b/include/linux/compiler_types.h
-@@ -320,6 +320,10 @@ struct ftrace_likely_data {
- #define __diag_GCC(version, severity, string)
- #endif
-
-+#ifndef __diag_clang
-+#define __diag_clang(version, severity, string)
-+#endif
-+
- #define __diag_push() __diag(push)
- #define __diag_pop() __diag(pop)
-
-diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
-index a96e924c7b45ed..339a35aad83935 100644
---- a/include/linux/syscalls.h
-+++ b/include/linux/syscalls.h
-@@ -236,6 +236,10 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
- __diag_push(); \
- __diag_ignore(GCC, 8, "-Wattribute-alias", \
- "Type aliasing is used to sanitize syscall arguments");\
-+ __diag_ignore(clang, 23, "-Wunknown-warning-option", \
-+ "Avoid breaking versions without -Wattribute-alias");\
-+ __diag_ignore(clang, 23, "-Wattribute-alias", \
-+ "Type aliasing is used to sanitize syscall arguments");\
- asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
- __attribute__((alias(__stringify(__se_sys##name)))); \
- ALLOW_ERROR_INJECTION(sys##name, ERRNO); \
---
-2.53.0
-
+++ /dev/null
-From 5caad7b86a7a1651a92e28c7d5df8b6d6114e265 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 8 Jun 2026 11:02:23 +0100
-Subject: HID: core: Add printk_ratelimited variants to hid_warn() etc
-
-From: Vicki Pfau <vi@endrift.com>
-
-[ Upstream commit 1d64624243af8329b4b219d8c39e28ea448f9929 ]
-
-hid_warn_ratelimited() is needed. Add the others as part of the block.
-
-Signed-off-by: Vicki Pfau <vi@endrift.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.com>
-Signed-off-by: Lee Jones <lee@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/hid.h | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/include/linux/hid.h b/include/linux/hid.h
-index 03627c96d81457..ab56fffb74a200 100644
---- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -1217,4 +1217,15 @@ do { \
- #define hid_dbg_once(hid, fmt, ...) \
- dev_dbg_once(&(hid)->dev, fmt, ##__VA_ARGS__)
-
-+#define hid_err_ratelimited(hid, fmt, ...) \
-+ dev_err_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
-+#define hid_notice_ratelimited(hid, fmt, ...) \
-+ dev_notice_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
-+#define hid_warn_ratelimited(hid, fmt, ...) \
-+ dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
-+#define hid_info_ratelimited(hid, fmt, ...) \
-+ dev_info_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
-+#define hid_dbg_ratelimited(hid, fmt, ...) \
-+ dev_dbg_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__)
-+
- #endif
---
-2.53.0
-
+++ /dev/null
-From 651ac05ebcdab9ea3a41e1d85220ad9129d7c490 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 8 Jun 2026 11:02:25 +0100
-Subject: HID: core: Fix size_t specifier in hid_report_raw_event()
-
-From: Nathan Chancellor <nathan@kernel.org>
-
-[ Upstream commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 ]
-
-When building for 32-bit platforms, for which 'size_t' is
-'unsigned int', there are warnings around using the incorrect format
-specifier to print bsize in hid_report_raw_event():
-
- drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
- 2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
- | ~~~
- | %zu
- 2054 | report->id, csize, bsize);
- | ^~~~~
- drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat]
- 2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
- | ~~~
- | %zu
- 2076 | report->id, rsize, bsize);
- | ^~~~~
-
-Use the proper 'size_t' format specifier, '%zu', to clear up the
-warnings.
-
-Cc: stable@vger.kernel.org
-Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event")
-Reported-by: Miguel Ojeda <ojeda@kernel.org>
-Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/
-Signed-off-by: Nathan Chancellor <nathan@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-(cherry picked from commit 3ab135238832446399614e7a4bb796d620717806)
-Signed-off-by: Lee Jones <lee@kernel.org>
-(cherry picked from commit 0f77a993b5426cca1b046c9ab4b2f8355a4d45dc)
-Signed-off-by: Lee Jones <lee@kernel.org>
-(cherry picked from commit 70333a8f866aad8cbd6956e2ec4ace159fa4243b)
-Signed-off-by: Lee Jones <lee@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/hid/hid-core.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index c73f4ac16fdf24..918c66d5bc93f6 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1793,7 +1793,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
- return 0;
-
- if (unlikely(bsize < csize)) {
-- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
-+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n",
- report->id, csize, bsize);
- return -EINVAL;
- }
-@@ -1815,7 +1815,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
- rsize = max_buffer_size;
-
- if (bsize < rsize) {
-- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
-+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n",
- report->id, rsize, bsize);
- return -EINVAL;
- }
---
-2.53.0
-
+++ /dev/null
-From 05c162178d5f6ec2e6f12bc4599977f0fd9b0573 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 8 Jun 2026 11:02:24 +0100
-Subject: HID: pass the buffer size to hid_report_raw_event
-
-From: Benjamin Tissoires <bentiss@kernel.org>
-
-[ Upstream commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a ]
-
-commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing
-bogus memset()") enforced the provided data to be at least the size of
-the declared buffer in the report descriptor to prevent a buffer
-overflow. However, we can try to be smarter by providing both the buffer
-size and the data size, meaning that hid_report_raw_event() can make
-better decision whether we should plaining reject the buffer (buffer
-overflow attempt) or if we can safely memset it to 0 and pass it to the
-rest of the stack.
-
-Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()")
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
-Acked-by: Johan Hovold <johan@kernel.org>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.com>
-Stable-dep-of: 206342541fc8 ("HID: core: introduce hid_safe_input_report()")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-(cherry picked from commit 509c2605065004fc4cd86ee50a9350d402785307)
-[Lee: Backported to linux-6.12.y and beyond]
-Signed-off-by: Lee Jones <lee@kernel.org>
-(cherry picked from commit f9393998660f146970047bda31526aeb96190f28)
-Signed-off-by: Lee Jones <lee@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/hid/hid-core.c | 29 ++++++++++++++++++++++-------
- drivers/hid/hid-gfrm.c | 4 ++--
- drivers/hid/hid-logitech-hidpp.c | 2 +-
- drivers/hid/hid-multitouch.c | 2 +-
- drivers/hid/hid-primax.c | 2 +-
- drivers/hid/hid-vivaldi.c | 2 +-
- drivers/hid/wacom_sys.c | 6 +++---
- drivers/staging/greybus/hid.c | 2 +-
- include/linux/hid.h | 4 ++--
- 9 files changed, 34 insertions(+), 19 deletions(-)
-
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index aa9ae6ccb28a8f..c73f4ac16fdf24 100644
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1775,8 +1775,8 @@ int __hid_request(struct hid_device *hid, struct hid_report *report,
- }
- EXPORT_SYMBOL_GPL(__hid_request);
-
--int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
-- int interrupt)
-+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
-+ size_t bufsize, u32 size, int interrupt)
- {
- struct hid_report_enum *report_enum = hid->report_enum + type;
- struct hid_report *report;
-@@ -1784,16 +1784,24 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
- int max_buffer_size = HID_MAX_BUFFER_SIZE;
- unsigned int a;
- u32 rsize, csize = size;
-+ size_t bsize = bufsize;
- u8 *cdata = data;
- int ret = 0;
-
- report = hid_get_report(report_enum, data);
- if (!report)
-- goto out;
-+ return 0;
-+
-+ if (unlikely(bsize < csize)) {
-+ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n",
-+ report->id, csize, bsize);
-+ return -EINVAL;
-+ }
-
- if (report_enum->numbered) {
- cdata++;
- csize--;
-+ bsize--;
- }
-
- rsize = hid_compute_report_size(report);
-@@ -1806,9 +1814,15 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
- else if (rsize > max_buffer_size)
- rsize = max_buffer_size;
-
-+ if (bsize < rsize) {
-+ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n",
-+ report->id, rsize, bsize);
-+ return -EINVAL;
-+ }
-+
- if (csize < rsize) {
- dbg_hid("report %d is too short, (%d < %d)\n", report->id,
-- csize, rsize);
-+ csize, rsize);
- memset(cdata + csize, 0, rsize - csize);
- }
-
-@@ -1817,7 +1831,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
- if (hid->claimed & HID_CLAIMED_HIDRAW) {
- ret = hidraw_report_event(hid, data, size);
- if (ret)
-- goto out;
-+ return ret;
- }
-
- if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) {
-@@ -1830,7 +1844,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
-
- if (hid->claimed & HID_CLAIMED_INPUT)
- hidinput_report_event(hid, report);
--out:
-+
- return ret;
- }
- EXPORT_SYMBOL_GPL(hid_report_raw_event);
-@@ -1851,6 +1865,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i
- struct hid_report_enum *report_enum;
- struct hid_driver *hdrv;
- struct hid_report *report;
-+ size_t bufsize = size;
- int ret = 0;
-
- if (!hid)
-@@ -1889,7 +1904,7 @@ int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int i
- goto unlock;
- }
-
-- ret = hid_report_raw_event(hid, type, data, size, interrupt);
-+ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt);
-
- unlock:
- up(&hid->driver_input_lock);
-diff --git a/drivers/hid/hid-gfrm.c b/drivers/hid/hid-gfrm.c
-index 699186ff2349e9..d2a56bf92b416e 100644
---- a/drivers/hid/hid-gfrm.c
-+++ b/drivers/hid/hid-gfrm.c
-@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
- switch (data[1]) {
- case GFRM100_SEARCH_KEY_DOWN:
- ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn,
-- sizeof(search_key_dn), 1);
-+ sizeof(search_key_dn), sizeof(search_key_dn), 1);
- break;
-
- case GFRM100_SEARCH_KEY_AUDIO_DATA:
-@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_device *hdev, struct hid_report *report,
-
- case GFRM100_SEARCH_KEY_UP:
- ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up,
-- sizeof(search_key_up), 1);
-+ sizeof(search_key_up), sizeof(search_key_up), 1);
- break;
-
- default:
-diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
-index 98562a0ed0c338..d31f2737b13dca 100644
---- a/drivers/hid/hid-logitech-hidpp.c
-+++ b/drivers/hid/hid-logitech-hidpp.c
-@@ -3176,7 +3176,7 @@ static int hidpp10_consumer_keys_raw_event(struct hidpp_device *hidpp,
- memcpy(&consumer_report[1], &data[3], 4);
- /* We are called from atomic context */
- hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
-- consumer_report, 5, 1);
-+ consumer_report, sizeof(consumer_report), 5, 1);
-
- return 1;
- }
-diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
-index 948bd59ab5d21f..c3bcc23d7c7ca1 100644
---- a/drivers/hid/hid-multitouch.c
-+++ b/drivers/hid/hid-multitouch.c
-@@ -449,7 +449,7 @@ static void mt_get_feature(struct hid_device *hdev, struct hid_report *report)
- }
-
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf,
-- size, 0);
-+ size, size, 0);
- if (ret)
- dev_warn(&hdev->dev, "failed to report feature\n");
- }
-diff --git a/drivers/hid/hid-primax.c b/drivers/hid/hid-primax.c
-index 1e6413d07cae21..16e2a811eda9f0 100644
---- a/drivers/hid/hid-primax.c
-+++ b/drivers/hid/hid-primax.c
-@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_device *hid, struct hid_report *report,
- data[0] |= (1 << (data[idx] - 0xE0));
- data[idx] = 0;
- }
-- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0);
-+ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0);
- return 1;
-
- default: /* unknown report */
-diff --git a/drivers/hid/hid-vivaldi.c b/drivers/hid/hid-vivaldi.c
-index d57ec17670379c..fdfea1355ee782 100644
---- a/drivers/hid/hid-vivaldi.c
-+++ b/drivers/hid/hid-vivaldi.c
-@@ -126,7 +126,7 @@ static void vivaldi_feature_mapping(struct hid_device *hdev,
- }
-
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data,
-- report_len, 0);
-+ report_len, report_len, 0);
- if (ret) {
- dev_warn(&hdev->dev, "failed to report feature %d\n",
- field->report->id);
-diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
-index 641898bde9c730..5043bc809aaeb5 100644
---- a/drivers/hid/wacom_sys.c
-+++ b/drivers/hid/wacom_sys.c
-@@ -79,7 +79,7 @@ static void wacom_wac_queue_flush(struct hid_device *hdev,
- int err;
-
- size = kfifo_out(fifo, buf, sizeof(buf));
-- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false);
-+ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false);
- if (err) {
- hid_warn(hdev, "%s: unable to flush event due to error %d\n",
- __func__, err);
-@@ -324,7 +324,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
- data, n, WAC_CMD_RETRIES);
- if (ret == n && features->type == HID_GENERIC) {
- ret = hid_report_raw_event(hdev,
-- HID_FEATURE_REPORT, data, n, 0);
-+ HID_FEATURE_REPORT, data, n, n, 0);
- } else if (ret == 2 && features->type != HID_GENERIC) {
- features->touch_max = data[1];
- } else {
-@@ -386,7 +386,7 @@ static void wacom_feature_mapping(struct hid_device *hdev,
- data, n, WAC_CMD_RETRIES);
- if (ret == n) {
- ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT,
-- data, n, 0);
-+ data, n, n, 0);
- } else {
- hid_warn(hdev, "%s: could not retrieve sensor offsets\n",
- __func__);
-diff --git a/drivers/staging/greybus/hid.c b/drivers/staging/greybus/hid.c
-index ed706f39e87a19..d68f60da0dd169 100644
---- a/drivers/staging/greybus/hid.c
-+++ b/drivers/staging/greybus/hid.c
-@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb_hid *ghid, struct hid_report *report)
- * we just need to setup the input fields, so using
- * hid_report_raw_event is safe.
- */
-- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1);
-+ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1);
- }
-
- static void gb_hid_init_reports(struct gb_hid *ghid)
-diff --git a/include/linux/hid.h b/include/linux/hid.h
-index ab56fffb74a200..aaae2fecd4ae6e 100644
---- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -1175,8 +1175,8 @@ static inline u32 hid_report_len(struct hid_report *report)
- return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
- }
-
--int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
-- int interrupt);
-+int hid_report_raw_event(struct hid_device *hid, int type, u8 *data,
-+ size_t bufsize, u32 size, int interrupt);
-
- /* HID quirks API */
- unsigned long hid_lookup_quirk(const struct hid_device *hdev);
---
-2.53.0
-
+++ /dev/null
-bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch
-hid-core-add-printk_ratelimited-variants-to-hid_warn.patch
-hid-pass-the-buffer-size-to-hid_report_raw_event.patch
-hid-core-fix-size_t-specifier-in-hid_report_raw_even.patch
-usb-serial-mct_u232-fix-memory-corruption-with-small.patch
-compiler-clang.h-add-__diag-infrastructure-for-clang.patch
-disable-wattribute-alias-for-clang-23-and-newer.patch
+++ /dev/null
-From 88ac9d3ecb476d111f8b9bda679669bc065ef860 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 4 Jun 2026 14:11:33 +0200
-Subject: USB: serial: mct_u232: fix memory corruption with small endpoint
-
-From: Johan Hovold <johan@kernel.org>
-
-commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream.
-
-The driver overrides the maximum transfer size for a specific device
-which only accepts 16 byte packets for its 32 byte bulk-out endpoint.
-
-Make sure to never increase the maximum transfer size to prevent slab
-corruption should a malicious device report a smaller endpoint max
-packet size than expected.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable@vger.kernel.org
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/serial/mct_u232.c | 21 +++++++++++----------
- 1 file changed, 11 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
-index 04f16d4a0a68ad..8842a1db72b396 100644
---- a/drivers/usb/serial/mct_u232.c
-+++ b/drivers/usb/serial/mct_u232.c
-@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
- {
- struct usb_serial *serial = port->serial;
- struct mct_u232_private *priv;
-+ u16 pid;
-
- /* check first to simplify error handling */
- if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
-@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port)
- return -ENODEV;
- }
-
-+ /*
-+ * Compensate for a hardware bug: although the Sitecom U232-P25
-+ * device reports a maximum output packet size of 32 bytes,
-+ * it seems to be able to accept only 16 bytes (and that's what
-+ * SniffUSB says too...)
-+ */
-+ pid = le16_to_cpu(serial->dev->descriptor.idProduct);
-+ if (pid == MCT_U232_SITECOM_PID)
-+ port->bulk_out_size = min(16, port->bulk_out_size);
-+
- priv = kzalloc(sizeof(*priv), GFP_KERNEL);
- if (!priv)
- return -ENOMEM;
-@@ -412,7 +423,6 @@ static int mct_u232_port_remove(struct usb_serial_port *port)
-
- static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
- {
-- struct usb_serial *serial = port->serial;
- struct mct_u232_private *priv = usb_get_serial_port_data(port);
- int retval = 0;
- unsigned int control_state;
-@@ -420,15 +430,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port)
- unsigned char last_lcr;
- unsigned char last_msr;
-
-- /* Compensate for a hardware bug: although the Sitecom U232-P25
-- * device reports a maximum output packet size of 32 bytes,
-- * it seems to be able to accept only 16 bytes (and that's what
-- * SniffUSB says too...)
-- */
-- if (le16_to_cpu(serial->dev->descriptor.idProduct)
-- == MCT_U232_SITECOM_PID)
-- port->bulk_out_size = 16;
--
- /* Do a defined restart: the normal serial device seems to
- * always turn on DTR and RTS here, so do the same. I'm not
- * sure if this is really necessary. But it should not harm
---
-2.53.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
