+++ /dev/null
-From 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 Mon Sep 17 00:00:00 2001
-From: Muhammad Bilal <meatuni001@gmail.com>
-Date: Wed, 20 May 2026 18:56:43 -0400
-Subject: Bluetooth: HIDP: fix missing length checks in hidp_input_report()
-
-From: Muhammad Bilal <meatuni001@gmail.com>
-
-commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream.
-
-hidp_input_report() reads keyboard and mouse payload data from an skb
-without first verifying that skb->len contains enough data.
-
-hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
-to hidp_input_report(). If a paired device sends a truncated packet,
-the handler reads beyond the valid skb data, resulting in an
-out-of-bounds read of skb data. The OOB bytes may be interpreted as
-phantom key presses or spurious mouse movement.
-
-Replace the open-coded length tracking and pointer arithmetic with
-skb_pull_data() calls. skb_pull_data() returns NULL if the requested
-bytes are not present, eliminating the need for a manual size variable
-and the separate skb->len guard.
-
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable@vger.kernel.org
-Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/bluetooth/hidp/core.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
---- a/net/bluetooth/hidp/core.c
-+++ b/net/bluetooth/hidp/core.c
-@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid
- {
- struct input_dev *dev = session->input;
- unsigned char *keys = session->keys;
-- unsigned char *udata = skb->data + 1;
-- signed char *sdata = skb->data + 1;
-- int i, size = skb->len - 1;
-+ unsigned char *udata;
-+ signed char *sdata;
-+ u8 *hdr;
-+ int i;
-+
-+ hdr = skb_pull_data(skb, 1);
-+ if (!hdr)
-+ return;
-
-- switch (skb->data[0]) {
-+ switch (*hdr) {
- case 0x01: /* Keyboard report */
-+ udata = skb_pull_data(skb, 8);
-+ if (!udata)
-+ break;
-+
- for (i = 0; i < 8; i++)
- input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1);
-
-@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid
- break;
-
- case 0x02: /* Mouse report */
-+ sdata = skb_pull_data(skb, 3);
-+ if (!sdata)
-+ break;
-+
- input_report_key(dev, BTN_LEFT, sdata[0] & 0x01);
- input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02);
- input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04);
-@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid
- input_report_rel(dev, REL_X, sdata[1]);
- input_report_rel(dev, REL_Y, sdata[2]);
-
-- if (size > 3)
-+ if (skb->len > 0)
- input_report_rel(dev, REL_WHEEL, sdata[3]);
- break;
- }
hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch
ipc-limit-next_id-allocation-to-the-valid-id-range.patch
bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch
-bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch
parport-fix-race-between-port-and-client-registration.patch
iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch
iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch
+++ /dev/null
-From 5237c3175cae5ab05f18878cec3301a04403859e Mon Sep 17 00:00:00 2001
-From: Rodrigo Alencar <rodrigo.alencar@analog.com>
-Date: Tue, 5 May 2026 13:35:04 +0100
-Subject: iio: dac: ad5686: acquire lock when doing powerdown control
-
-From: Rodrigo Alencar <rodrigo.alencar@analog.com>
-
-commit 5237c3175cae5ab05f18878cec3301a04403859e upstream.
-
-Protect access of pwr_down_mode and pwr_down_mask fields with existing
-mutex lock. Each channel exposes their own attributes for controlling
-powerdown modes and powerdown state. This fixes potential race conditions
-as those the write functions perform non-atomic read-modify-write
-operations to those pwr_down_* fields. This issue exists since the ad5686
-driver was first introduced.
-
-Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters")
-Signed-off-by: Rodrigo Alencar <rodrigo.alencar@analog.com>
-Cc: <Stable@vger.kernel.org>
-Signed-off-by: Jonathan Cameron <jic23@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/iio/dac/ad5686.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/drivers/iio/dac/ad5686.c
-+++ b/drivers/iio/dac/ad5686.c
-@@ -30,6 +30,8 @@ static int ad5686_get_powerdown_mode(str
- {
- struct ad5686_state *st = iio_priv(indio_dev);
-
-+ guard(mutex)(&st->lock);
-+
- return ((st->pwr_down_mode >> (chan->channel * 2)) & 0x3) - 1;
- }
-
-@@ -39,6 +41,8 @@ static int ad5686_set_powerdown_mode(str
- {
- struct ad5686_state *st = iio_priv(indio_dev);
-
-+ guard(mutex)(&st->lock);
-+
- st->pwr_down_mode &= ~(0x3 << (chan->channel * 2));
- st->pwr_down_mode |= ((mode + 1) << (chan->channel * 2));
-
-@@ -57,6 +61,8 @@ static ssize_t ad5686_read_dac_powerdown
- {
- struct ad5686_state *st = iio_priv(indio_dev);
-
-+ guard(mutex)(&st->lock);
-+
- return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask &
- (0x3 << (chan->channel * 2))));
- }
-@@ -77,6 +83,8 @@ static ssize_t ad5686_write_dac_powerdow
- if (ret)
- return ret;
-
-+ guard(mutex)(&st->lock);
-+
- if (readin)
- st->pwr_down_mask |= (0x3 << (chan->channel * 2));
- else
iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch
iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch
iio-dac-ad5686-fix-input-raw-value-check.patch
-iio-dac-ad5686-acquire-lock-when-doing-powerdown-control.patch
iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch
iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch
iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch
+++ /dev/null
-From f185e05dce6f170f83c4ba602e969b1c3c7a22e6 Mon Sep 17 00:00:00 2001
-From: Sean Christopherson <seanjc@google.com>
-Date: Fri, 1 May 2026 13:22:32 -0700
-Subject: KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
-
-From: Sean Christopherson <seanjc@google.com>
-
-commit f185e05dce6f170f83c4ba602e969b1c3c7a22e6 upstream.
-
-Now that all paths in KVM properly validate the length needed for the
-scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM
-attempts to configured the scratch area with min_len==0 to guard against
-future bugs.
-
-Cc: stable@vger.kernel.org
-Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
-Reviewed-by: Michael Roth <michael.roth@amd.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-ID: <20260501202250.2115252-8-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/svm/sev.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/arch/x86/kvm/svm/sev.c
-+++ b/arch/x86/kvm/svm/sev.c
-@@ -2658,6 +2658,9 @@ static int setup_vmgexit_scratch(struct
- u64 scratch_gpa_beg, scratch_gpa_end;
- void *scratch_va;
-
-+ if (WARN_ON_ONCE(!min_len))
-+ goto e_scratch;
-+
- scratch_gpa_beg = svm->sev_es.sw_scratch;
- if (!scratch_gpa_beg) {
- pr_err("vmgexit: scratch gpa not provided\n");
bluetooth-iso-serialize-iso_sock_clear_timer-with-socket-lock.patch
parport-fix-race-between-port-and-client-registration.patch
usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch
-kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch
iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch
iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch
iio-dac-ad5686-fix-input-raw-value-check.patch
+++ /dev/null
-From f185e05dce6f170f83c4ba602e969b1c3c7a22e6 Mon Sep 17 00:00:00 2001
-From: Sean Christopherson <seanjc@google.com>
-Date: Fri, 1 May 2026 13:22:32 -0700
-Subject: KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
-
-From: Sean Christopherson <seanjc@google.com>
-
-commit f185e05dce6f170f83c4ba602e969b1c3c7a22e6 upstream.
-
-Now that all paths in KVM properly validate the length needed for the
-scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM
-attempts to configured the scratch area with min_len==0 to guard against
-future bugs.
-
-Cc: stable@vger.kernel.org
-Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
-Reviewed-by: Michael Roth <michael.roth@amd.com>
-Signed-off-by: Sean Christopherson <seanjc@google.com>
-Message-ID: <20260501202250.2115252-8-seanjc@google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kvm/svm/sev.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/arch/x86/kvm/svm/sev.c
-+++ b/arch/x86/kvm/svm/sev.c
-@@ -2692,6 +2692,9 @@ static int setup_vmgexit_scratch(struct
- u64 scratch_gpa_beg, scratch_gpa_end;
- void *scratch_va;
-
-+ if (WARN_ON_ONCE(!min_len))
-+ goto e_scratch;
-+
- scratch_gpa_beg = svm->sev_es.sw_scratch;
- if (!scratch_gpa_beg) {
- pr_err("vmgexit: scratch gpa not provided\n");
usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch
kvm-arm64-pmu-preserve-aarch32-counter-low-bits.patch
kvm-svm-flush-the-current-tlb-when-transitioning-from-xavic-x2avic.patch
-kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch
iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch
iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch
iio-dac-ad5686-fix-input-raw-value-check.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
